- APPLY LICENSE TO GHOST EXE DRIVER
- APPLY LICENSE TO GHOST EXE PATCH
- APPLY LICENSE TO GHOST EXE FOR ANDROID
The side-loaded DLL then proceeds to decode and load an additional executable called license.rtf.
APPLY LICENSE TO GHOST EXE PATCH
This was only two days after the patch for the ProxyLogon vulnerability was released by Microsoft, and it is possible that the attackers exploited this vulnerability in order to allow them to achieve remote code execution on vulnerable Exchange servers.Īlthough GhostEmperor’s infections often start with a BAT file, in some cases the known infection chain was preceded by an earlier stage: a malicious DLL that was side-loaded by wdichost.exe, a legitimate command line utility by Microsoft originally called MpCmdRun.exe. It is worth mentioning that one of the GhostEmperor infections affected an Exchange server, and took place on March 4, 2021. This means that the attackers likely abused vulnerabilities in the web applications running on those systems, allowing them to drop and execute their files. We noticed that the majority of the GhostEmperor infections were deployed on public facing servers, as many of the malicious artefacts were installed by the ‘httpd.exe’ Apache server process, the ‘w3wp.exe’ IIS Windows server process, or the ‘oc4j.jar’ Oracle server process.
![apply license to ghost exe apply license to ghost exe](https://images.sftcdn.net/images/t_app-cover-l,f_auto/p/ae4b4786-96d2-11e6-a87c-00163ec9f5fa/207927586/norton-ghost-screenshot.png)
We identified multiple attack vectors that triggered an infection chain leading to the execution of malware in memory. Our investigation into this activity leads us to believe that the underlying actor is highly skilled and accomplished in their craft, both of which are evident through the use of a broad set of unusual and sophisticated anti-forensic and anti-analysis techniques. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the underlying cluster GhostEmperor. Furthermore, we could see that the actor was mostly focused on South East Asian targets, with outliers in Egypt, Afghanistan and Ethiopia which included several governmental entities and telecommunication companies. In an attempt to trace the duration of the observed attacks, we were able to see the toolset in question being used from as early as July 2020.
APPLY LICENSE TO GHOST EXE DRIVER
The former is used to hide the user mode malware’s artefacts from investigators and security solutions, while demonstrating an interesting undocumented loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism. This cluster stood out for its usage of a formerly unknown Windows kernel mode rootkit that we dubbed Demodex, and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks.
![apply license to ghost exe apply license to ghost exe](https://support.eset.com/storage/IMAGES/en/KB3527/KB3527Fig1-1c.png)
![apply license to ghost exe apply license to ghost exe](https://sc.filehippo.net/images/t_app-cover-m,f_auto/p/ae4b4786-96d2-11e6-a87c-00163ec9f5fa/3124230792/norton-ghost-screenshot.png)
APPLY LICENSE TO GHOST EXE FOR ANDROID