{
  "name": "The Return of Ghost Emperor\u2019s Demodex",
  "slug": "the-return-of-ghost-emperors-demodex",
  "description": "This document examines a recent infection chain utilized by the sophisticated China-nexus threat group GhostEmperor. It delves into the multi-stage loading process of the Demodex rootkit, which incorporates several obfuscation techniques and loading schemes. The analysis covers various components, including a batch file, PowerShell script, and malicious service DLL, which ultimately loads a reflective loader and the core implant. The core implant handles command-and-control communication and installs the Demodex kernel rootkit, leveraging Cheat Engine's signed driver to bypass driver signature enforcement.",
  "published": "2024-08-08T09:12:09+00:00",
  "created_at": "2024-08-08T09:12:09+00:00",
  "modified_at": "2024-08-08T09:38:37+00:00",
  "created_at_opencti": "2024-08-08T09:12:09+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-08-08",
    "demodex",
    "ghost emperor",
    "rootkit"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "193.239.86.168"
      },
      {
        "id": "",
        "name": "imap.dateupdata.com"
      },
      {
        "id": "",
        "name": "f81a2e8a2a272e0bdae4e267fa220d6d40e23214087f33bdcdab6c7ad10b60b8"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:5cd9810877039a71",
        "name": "Demodex",
        "slug": "demodex"
      }
    ],
    "intrusion_sets": [
      {
        "id": "bb54a862-fd81-466f-92a9-d406f4428205",
        "name": "GhostEmperor",
        "slug": "ghostemperor"
      }
    ],
    "attack_patterns": [
      {
        "id": "21c4e6c3-03e8-46f1-835f-2e7d8f926c2e",
        "name": "T1578"
      },
      {
        "id": "6c54bb5e-b90c-478e-b1fb-705daf1869b3",
        "name": "T1197"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "2c3d4267-2bae-41ae-8486-5876953a1748",
        "name": "T1129"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "4cb4ee3b-b78f-45cf-bcaa-45a2aa968e56",
        "name": "T1570"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e",
        "name": "T1003"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2024-20399"
      }
    ]
  },
  "external_refs": [
    "https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit",
    "https://otx.alienvault.com/pulse/66b4a8094b782626504a1a8f"
  ]
}