A new Chinese-speaking threat actor named SneakyChef has been discovered to be involved in an espionage campaign targeting government organizations in Asia and EMEA (Europe, Middle East, and Africa) using SugarGh0st malware since August 2023.
According to an analysis by Cisco Talos researchers Chetan Raghuprasad and Ashley Shen published recently, SneakyChef uses scanned government document lures, mainly related to Ministries of Foreign Affairs or embassies of various countries.
Initial activities of this threat actor were highlighted by Cisco Talos in late November 2023, focusing on South Korea and Uzbekistan with a customized version of Gh0st RAT named SugarGh0st, as reported.
In a later analysis by Proofpoint in May, it was revealed that the SugarGh0st RAT was being used against U.S. organizations involved in artificial intelligence efforts by a cluster called UNK_SweetSpecter, as reported.
Talos has observed that the targeting has expanded to include government entities in Angola, India, Latvia, Saudi Arabia, and Turkmenistan, indicating a wider range of countries being affected by this malware.
In addition to using Windows Shortcut (LNK) files embedded within RAR archives to deliver SugarGh0st, the attackers have also employed a self-extracting RAR archive (SFX) as an initial infection vector along with a Visual Basic Script (VBS) to execute the malware and display decoy files.
Among the attacks on Angola, a new remote access trojan named SpiceRAT has been employed, using lures from a Russian-language newspaper in Turkmenistan called Neytralny Turkmenistan.
SpiceRAT utilizes different infection chains, including one that deploys the malware using DLL side-loading techniques from an LNK file inside a RAR archive.
According to researchers, the attack uses a hidden folder and a disguised shortcut file to execute the malicious launcher executable.
The SpiceRAT variant also involves launching a rogue DLL that loads SpiceRAT after sideloading through a legitimate binary (“dxcap.exe”). The malware expands the victim’s attack surface by downloading and executing arbitrary commands.
SpiceRAT also uses DLL side-loading to start a DLL loader, which checks for debugging and runs the main module from memory.
These malicious activities increase the risk of further attacks on the victim’s network, as mentioned by Talos.
