The Return of Ghost Emperor’s Demodex
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
This document examines a recent infection chain utilized by the sophisticated China-nexus threat group GhostEmperor. It delves into the multi-stage loading process of the Demodex rootkit, which incorporates several obfuscation techniques and loading schemes. The analysis covers various components, including a batch file, PowerShell script, and malicious service DLL, which ultimately loads a reflective loader and the core implant. The core implant handles command-and-control communication and installs the Demodex kernel rootkit, leveraging Cheat Engine's signed driver to bypass driver signature enforcement.
OPENCTI LABELS :
rootkit,demodex,ghost emperor
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
The Return of Ghost Emperor’s Demodex