A previously undocumented Chinese-speaking threat actor codenamed SneakyChef has been linked to an espionage campaign primarily targeting government entities across Asia and EMEA (Europe, Middle East, and Africa) with SugarGh0st malware since at least August 2023.
“SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries’ Ministries of Foreign Affairs or embassies,” Cisco Talos researchers Chetan Raghuprasad and Ashley Shen said in an analysis published today.
Activities related to the hacking crew were first highlighted by the cybersecurity company in late November 2023 in connection with an attack campaign that singled out South Korea and Uzbekistan with a custom variant of Gh0st RAT called SugarGh0st.
A subsequent analysis from Proofpoint last month uncovered the use of SugarGh0st RAT against U.S. organizations involved in artificial intelligence efforts, including those in academia, private industry, and government service. It’s tracking the cluster under the name UNK_SweetSpecter.
Talos said that it has since observed the same malware being used to likely focus on various government entities across Angola, India, Latvia, Saudi Arabia, and Turkmenistan based on the lure documents used in the spear-phishing campaigns, indicating a widening of the scope of the countries targeted.
In addition to leveraging attack chains that make use of Windows Shortcut (LNK) files embedded within RAR archives to deliver SugarGh0st, the new wave has been found to employ a self-extracting RAR archive (SFX) as an initial infection vector to launch a Visual Basic Script (VBS) that ultimately executes the malware by means of a loader while simultaneously displaying the decoy file.
The attacks against Angola are also notable for the fact that it utilizes a new remote access trojan codenamed SpiceRAT using lures from Neytralny Turkmenistan, a Russian-language newspaper in Turkmenistan.
SpiceRAT, for its part, employs two different infection chains for propagation, one of which uses an LNK file present inside a RAR archive that deploys the malware using DLL side-loading techniques.
“When the victim extracts the RAR file, it drops the LNK and a hidden folder on their machine,” the researchers said. “After a victim opens the shortcut file, which masqueraded as a PDF document, it executes an embedded command to run the malicious launcher executable from the dropped hidden folder.”
The launcher then proceeds to display the decoy document to the victim and run a legitimate binary (“dxcap.exe”), which subsequently sideloads a malicious DLL responsible for loading SpiceRAT.
The second variant entails the use of an HTML Application (HTA) that drops a Windows batch script and a Base64-encoded downloader binary, with the former launching the executable by means of a scheduled task every five minutes.
The batch script is also engineered to run another legitimate executable “ChromeDriver.exe” every 10 minutes, which then sideloads a rogue DLL that, in turn, loads SpiceRAT. Each of these components – ChromeDriver.exe, the DLL, and the RAT payload – are extracted from a ZIP archive retrieved by the downloader binary from a remote server.
SpiceRAT also takes advantage of the DLL side-loading technique to start a DLL loader, which captures the list of running processes to check if it’s being debugged, followed by running the main module from memory.
“With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim’s network, paving the way for further attacks,” Talos said.
