June 21, 2024 at 04:51PM
Chinese APT group “SneakyChef” has been engaging in government cyberespionage across various countries, using the SugarGh0st RAT and lately the SpiceRAT. Targeting ministries and embassies, they employ SFX RAR files to deliver malware and decoy documents. Their tactics aim to gather data and establish footholds for future, more sophisticated attacks.
From the meeting notes, it is evident that a Chinese-language advanced persistent threat (APT) group, known as “SneakyChef,” has been conducting cyber espionage activities targeting government ministries and embassies across the eastern hemisphere. The group has been using a modified version of Gh0st RAT, called “SugarGh0st RAT,” as well as a newer tool named “SpiceRAT” to launch its campaigns.
The likely targets for the campaign have included ministries of foreign affairs, agriculture, forestry, fisheries, as well as specific embassies such as the Saudi Arabian embassy in Abu Dhabi. The group has shown a preference for using self-extracting RAR files (SFX RAR) as a means of initial infection, along with decoy documents, DLL loaders, encrypted malware, and malicious VB scripts for persistence.
It should be noted that the decoy documents used by SneakyChef are legitimate scanned documents relating to the targeted ministries or embassies, often describing government business such as upcoming meetings or conferences. Additionally, Talos speculates that these documents may have been obtained via espionage, as they are not found on the open web.
In summary, SneakyChef’s cyber espionage tactics seem to start with a broad initial wave, aiming to infect many targets to gather data, followed by more sophisticated attacks when they need access to specific, highly secured government bodies. The group’s use of Chinese language preferences in its code and its targets, along with the evolution of its toolset, have been noted by Cisco Talos, but no specific government attribution has been made at this time.