Recent reports from Cisco Talos researchers have uncovered a malicious campaign targeting the Uzbekistan Ministry of Foreign Affairs and South Korean users. The threat actor, believed to be Chinese-speaking, is utilizing a remote access trojan known as SugarGh0st RAT.
The campaign, initiated no later than August 2023, employs two distinct infection sequences to deliver the malware. SugarGh0st RAT, a customized variant of Gh0st RAT (aka Farfli), is equipped with features designed to facilitate remote administration tasks as directed by the command and control (C2) server, employing a modified communication protocol based on command structure and code strings' similarity.
Attack Vector: Phishing Emails and Multi-Stage Process
The attacks kick off with phishing emails containing decoy documents. Upon opening, a multi-stage process is activated, leading to the deployment of SugarGh0st RAT. The decoy documents are embedded within a heavily obfuscated JavaScript dropper found in a Windows Shortcut file within a RAR archive email attachment.
Researchers at Cisco Talos, Ashley Shen, and Chetan Raghuprasad, explain, "The JavaScript decodes and drops the embedded files into the %TEMP% folder, including a batch script, a customized DLL loader, an encrypted SugarGh0st payload, and a decoy document."
While the victim is presented with the decoy document, in the background, the batch script runs the DLL loader, which side-loads it with a copied version of a legitimate Windows executable called rundll32.exe. This process decrypts and launches the SugarGh0st payload.
Second Variant: DynamicWrapperX and Shellcode
A second variant of the attack involves a RAR archive with a malicious Windows Shortcut file acting as bait. In this case, the JavaScript leverages DynamicWrapperX to run shellcode that launches SugarGh0st.
SugarGh0st RAT Capabilities
SugarGh0st, a 32-bit dynamic-link library (DLL) written in C++, establishes contact with a hard-coded command-and-control (C2) domain. This allows it to transmit system metadata to the server, launch a reverse shell, and execute arbitrary commands. Additionally, the malware can enumerate and terminate processes, capture screenshots, perform file operations, and clear machine event logs to cover its tracks and evade detection.
Chinese Attribution and Historical Context
The attribution of this campaign to Chinese-speaking threat actors is rooted in the origins of Gh0st RAT and its widespread adoption by Chinese threat actors since 2008. Further evidence includes the use of Chinese names in the "last modified by" field in the metadata of the decoy files. Gh0st RAT has long been a mainstay in the arsenal of Chinese threat actors.
The researchers note, "Chinese actors also have a history of targeting Uzbekistan. The targeting of the Uzbekistan Ministry of Foreign Affairs aligns with the scope of Chinese intelligence activity abroad."
Broader Trends: Chinese State-Sponsored Attacks
This revelation follows an increasing trend of Chinese state-sponsored groups targeting various regions. In the last six months, Taiwan has experienced heightened attacks, with attackers repurposing residential routers to mask their intrusions, according to Google.
As cybersecurity threats continue to evolve, staying vigilant and implementing robust security measures are crucial to safeguarding sensitive information and national interests.
Comments
Post a Comment