SneakyChef APT Slices Up Foreign Affairs With SugarGh0st

  /     /     /  
Publicated : 23/11/2024   Category : security


SneakyChef APT Slices Up Foreign Affairs With SugarGh0st


Government ministries keep falling victim to relatively standard-fare cyber-espionage attacks, like this latest campaign with hazy Chinese links.



A Chinese-language advanced persistent threat (APT) has been spying on
government ministries
across the eastern hemisphere.
The first signs of it date back to late August of last year. Back then, the as-yet-unidentified group began to use a modified version of Gh0st RAT, nicknamed
SugarGh0st RAT
, to spy on targets in South Korea, as well as the Ministry of Foreign Affairs in Uzbekistan. Since then, Cisco Talos revealed in a
new blog post
, the group now called SneakyChef has been cooking up new campaigns across more countries.
Based on its lure documents, likely targets for the campaign have included:
Ministries of foreign affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan
The ministries of agriculture and forestry, and fisheries and marine resources in Angola
The Saudi Arabian embassy in Abu Dhabi
Talos has not attributed SneakyChef to any particular government itself. They did note, however, the Chinese language preferences present in its code, its use of
SugarGh0st RAT
— particularly, though not exclusively popular among Chinese threat actors — and the similar profile of its targets.
Where early campaigns utilized malicious RAR files embedded in LNK files for initial infection, now SneakyChef prefers self-extracting RARs (SFX RAR). The shift offers some modest benefits.
RAR files just got official support in Windows 11, so for anything prior to Windows 11, you need to have extra software to be able to extract the file, explains Nick Biasani, Cisco Talos head of outreach. A self-extracting RAR file eliminates the need for extra software, so it probably increases the likelihood of infection.
Among the goodies SFX RAR drops: a decoy document, a dynamic link library (DLL) loader, some encrypted malware — either SugarGh0st RAT or SneakyChefs newest tool, SpiceRAT — and a malicious Visual Basic (VB) script for establishing persistence.
The decoys are legitimate, scanned documents relating in some way to the targeted ministry or embassy. Theyll describe some kind of government business, most often an upcoming meeting or conference. Notably, Talos was unable to find any of the documents used in recent campaigns on the open web. (This might indicate they were themselves obtained via espionage.)
When it comes to government cyberespionage, What we commonly see is that this would be the first wave. This actor is not typically highly sophisticated, theyre more aiming to send a lot of lures and get a lot of people infected so they can get initial footholds and start gathering data, Biasani says. Then, when they need access to a specific, extra-secured government body. Thats when you start seeing the more sophisticated elements of these attacks play out.

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
SneakyChef APT Slices Up Foreign Affairs With SugarGh0st