Advanced persistent threat (APT) actors are constantly seeking new, more sophisticated ways to perform their attacks and, according to Kaspersky’s quarterly report, the threat landscape saw an increase in attacks against Microsoft Exchange servers in Q2 2021.

In the latest APT 2021 Report, Kaspersky reveals the details of a long-standing operation, ‘GhostEmperor’, which uses Microsoft Exchange vulnerabilities to target high-profile victims with an advanced toolset and no affinity to any known threat actor.

GhostEmperor is a Chinese-speaking threat actor that has been discovered by Kaspersky researchers. It mostly focuses on targets in Southeast Asia, including several governmental entities and telecoms companies.

This actor stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions.

To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving the component of an open-source project named “Cheat Engine”.

This advanced toolset is unique and Kaspersky researchers see no affinity to already known threat actors. Kaspersky experts have surmised that this toolset has been in use since at least July 2020.

“As detection and protection techniques evolve, so do APT actors,” comments David Emm, security expert at Kaspersky. “They typically refresh and update their toolsets. GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit.

“Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers.”

Besides the growth of attacks against Microsoft Exchange servers, Kaspersky experts also highlight the following trends on the APT landscape in Q2:

  • There has been a rise in APT threat actors leveraging exploits to gain an initial foothold in attacked networks – including the zero-days developed by the exploit developer ‘Moses’ and those used in the PuzzleMaker, Pulse Secure attacks, and the Microsoft Exchange server vulnerabilities
  • APT threat actors continue to invest in refreshing their toolsets: this includes not only the inclusion of new platforms but also the use of additional languages, as seen by WildPressure’s macOS-supported Python malware
  • While some of the supply-chain attacks were major and have attracted worldwide attention, Kaspersky experts also observed equally successful low-tech attacks, such as BountyGlad, CoughingDown, and the attack targeting Codecov, which signaled that low-key campaigns still represent a significant threat to security