A newly uncovered threat actor named SneakyChef has been targeting government entities in multiple countries across the EMEA and Asia regions with known malware called SugarGh0st in an ongoing espionage campaign.
Researchers with Cisco Talos first reported on SugarGh0st in November 2023, after unearthing the malware as part of August 2023 attacks that targeted the Uzbekistan Ministry of Foreign Affairs and users in South Korea. After seeing the use of the malware continue in attacks against more countries since then, researchers have tied the campaign to a threat actor they call SneakyChef. The threat actor’s targeting has now expanded to include the Ministries of Foreign affairs in Latvia, Kazakhstan, Turkmenistan, India and Angola, as well as the Royal Embassy of Saudi Arabia.
“Talos assesses with medium confidence that SneakyChef operators are likely Chinese-speaking based on their language preferences, the usage of the variants of Gh0st RAT — a popular malware among various Chinese-speaking actors — and the specific targets, which includes the Ministry of Foreign affairs of various countries and other government entities,” said Chetan Raghuprasad and Ashley Shen with Cisco Talos in a Friday analysis, released in collaboration with the Yahoo! Paranoids Advanced Cyber Threats team.
The attack chain in the campaign involves decoy documents, likely delivered via phishing emails. The SugarGh0st campaign in November started the same way, but while those decoy documents used real content published in multiple Uzbekistan sources in 2021 (a document titled “investment project details.docx”) the newer attacks use scanned documents relating to government agencies or research conferences that don’t appear to be publicly available on the internet. For instance, one attack used decoy documents that purported to be from the Ministry of Foreign Affairs in Angola and related to a financial meeting between the Angolan Ministry of Fisheries and Marine Resources and a financial advisory company.
In addition to previous infection chains used by the threat actor to spread these decoy documents and ultimately execute the malware, which researchers had disclosed in November, they found another infection chain in the attack that has leveraged SFX RAR files to deliver SugarGh0st. Nick Biasini, head of outreach with Cisco Talos, said that SFX RAR files are self extracting, meaning that instead of a .rar file, an .exe file is delivered.
"It's difficult to say for certain why the actors chose this path, but rar files can require additional software to extract," said Biasini. "Rar is officially supported in Windows 11 but older versions of windows would require additional software to extract the contents, this mitigates that risk by providing the victim with a self extracting executable."
The infection chain leads to the eventual execution of SugarGh0st, which has various remote control and espionage capabilities, from taking screenshots of victims’ desktops to accessing the devices’ cameras. The RAT also attempts to cover up its track by clearing victims’ Application, Security and System event logs.
Other researchers have been tracking activities involving the SugarGh0st RAT. In May, Proofpoint researchers said they observed campaigns against a U.S. telecommunications company as well as organizations in the U.S. involved in artificial intelligence efforts in academia, the private sector and government sectors.
In addition to Gh0stRAT, these more recent campaigns rely on a new remote access trojan, which researchers call SpiceRAT. The malware relies on a well-known sideloading technique where it leverages a legitimate loader, in order to sideload a malicious loader and the payload. In this specific campaign, SpiceRAT uses a legitimate Samsung executable, the Samsung RunHelp application, in order to sideload a malicious DLL, which has previously been seen in a handful of malware campaigns.
“Talos discovered that SneakyChef has employed SpiceRAT and its plugin as the payloads in this campaign,” according to Raghuprasad and Shen. “With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim’s network, paving the way for further attacks.”