December 1, 2023 at 06:24AM
A Chinese-speaking cyberespionage group has launched a campaign using SugarGh0st RAT to target Uzbekistan’s Foreign Affairs Ministry and South Korean individuals. The malware, delivered via phishing emails with malicious attachments, allows remote control and has been active since August 2023. Connections to Chinese hackers are suggested by RAT’s traits and historical use.
Meeting Takeaways:
1. A cyber-espionage campaign, potentially linked to a Chinese-speaking threat actor, commenced in August 2023, targeting the Uzbekistan Ministry of Foreign Affairs and South Korean users.
2. The campaign utilizes a remote access trojan named SugarGh0st RAT, which is a modified version of the Gh0st RAT, commonly associated with Chinese cyber actors.
3. SugarGh0st RAT has been delivered through two different infection methods, both starting with a phishing email containing a RAR archive with a malicious Windows Shortcut file.
4. The RAR attachment contains a JavaScript dropper, batch script, customized DLL loader, an encrypted RAT payload, and a decoy document, which, when opened, initiates the multi-stage infection sequence.
5. Upon execution, the decoy document is shown to the victim, while the batch script silently launches the SugarGh0st payload using a legitimate Windows executable to avoid detection.
6. The malware has capabilities including a reverse shell, executing arbitrary commands, process enumeration and termination, taking screenshots, performing file operations, and clearing event logs to evade detection.
7. Evidence linking the campaign to China includes the use of the Gh0st RAT, adoption by Chinese hackers, the presence of Chinese names in the metadata of decoy files, and alignment with patterns of Chinese intelligence activity.
8. Recent cybersecurity reports observed that Chinese state-sponsored groups have been escalating their activities, including targeting Taiwan and repurposing residential routers for obfuscation.
Stay informed on such cybersecurity developments by following the specified news source on Twitter and LinkedIn.