A beforehand undocumented Chinese language-speaking risk actor codenamed SneakyChef has been linked to an espionage marketing campaign primarily concentrating on authorities entities throughout Asia and EMEA (Europe, Center East, and Africa) with SugarGh0st malware since no less than August 2023.
“SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries’ Ministries of Foreign Affairs or embassies,” Cisco Talos researchers Chetan Raghuprasad and Ashley Shen mentioned in an evaluation revealed at present.
Actions associated to the hacking crew had been first highlighted by the cybersecurity firm in late November 2023 in reference to an assault marketing campaign that singled out South Korea and Uzbekistan with a customized variant of Gh0st RAT referred to as SugarGh0st.
A subsequent evaluation from Proofpoint final month uncovered using SugarGh0st RAT towards U.S. organizations concerned in synthetic intelligence efforts, together with these in academia, non-public trade, and authorities service. It is monitoring the cluster beneath the identify UNK_SweetSpecter.
Talos mentioned that it has since noticed the identical malware getting used to doubtless deal with numerous authorities entities throughout Angola, India, Latvia, Saudi Arabia, and Turkmenistan based mostly on the lure paperwork used within the spear-phishing campaigns, indicating a widening of the scope of the international locations focused.
Along with leveraging assault chains that make use of Home windows Shortcut (LNK) recordsdata embedded inside RAR archives to ship SugarGh0st, the brand new wave has been discovered to make use of a self-extracting RAR archive (SFX) as an preliminary an infection vector to launch a Visible Fundamental Script (VBS) that finally executes the malware by the use of a loader whereas concurrently displaying the decoy file.
The assaults towards Angola are additionally notable for the truth that it makes use of a brand new distant entry trojan codenamed SpiceRAT utilizing lures from Neytralny Turkmenistan, a Russian-language newspaper in Turkmenistan.
SpiceRAT, for its half, employs two completely different an infection chains for propagation, one in all which makes use of an LNK file current inside a RAR archive that deploys the malware utilizing DLL side-loading methods.
“When the victim extracts the RAR file, it drops the LNK and a hidden folder on their machine,” the researchers mentioned. “After a victim opens the shortcut file, which masqueraded as a PDF document, it executes an embedded command to run the malicious launcher executable from the dropped hidden folder.”
The launcher then proceeds to show the decoy doc to the sufferer and run a authentic binary (“dxcap.exe”), which subsequently sideloads a malicious DLL chargeable for loading SpiceRAT.
The second variant entails using an HTML Utility (HTA) that drops a Home windows batch script and a Base64-encoded downloader binary, with the previous launching the executable by the use of a scheduled activity each 5 minutes.
The batch script can also be engineered to run one other authentic executable “ChromeDriver.exe” each 10 minutes, which then sideloads a rogue DLL that, in flip, masses SpiceRAT. Every of those elements – ChromeDriver.exe, the DLL, and the RAT payload – are extracted from a ZIP archive retrieved by the downloader binary from a distant server.
SpiceRAT additionally takes benefit of the DLL side-loading approach to start out a DLL loader, which captures the checklist of working processes to verify if it is being debugged, adopted by working the primary module from reminiscence.
“With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim’s network, paving the way for further attacks,” Talos mentioned.