Talos Intelligence has found a refined cyber movement attributed to the dangerous actor SneakyChef. This operation leverages the SugarGh0st RAT and other malware to target government agencies, investigation organizations, and different associations worldwide. The campaign started in early August 2023 and initially targeted users in Uzbekistan and South Korea. However, it has since grown to contain targets in a broader geographical location, including:

• EMEA: Angola, Turkmenistan, Kazakhstan, India, Saudi Arabia, and Latvia
• Asia: India, Uzbekistan, and Kazakhstan
• Europe: Latvia and Lithuania

However, the criticizers use temptation records to copy government agencies and analyze organizations, and attract victims. These records contain:

• Government-themed lures: Circulars, reports, and statements from various churches and embassies
• Investigation conference-themed lures: Abstracts, application forms, and invitations to meetings

The chain of infection and malware

Two disease chains used a negative RAR with an LNK file, likely delivered via phishing email. According to the Talos news, The movement operates the SugarGh0st RAT and another RAT dubbed “SpiceRAT.” The disease chain utilizes SFX RAR files as the initial attack vector.

Moreover, when directed, these files fall into a decoy paper, a DLL loader, encrypted SugarGh0st, and a negative VB script into the victim’s momentary user profile folder. The VB script demonstrates industry by registering authority to the registry key UserInitMprLogonScript, which is conducted when a user logs into the system.

Additionally, the loader DLL reads the encrypted SugarGh0st RAT, decrypts it and injects it into a revolution. This method is identical to that utilized in a prior SugarGh0st campaign announced by Kazakhstan country in February. Despite initial exposure in November 2023, the SneakyChef threat actor resumes to leverage old and new command and control (C2) territories.

Hereon, the C2 field account[.]drive-google-com[.]tk was even active until mid-May, and a new domain, account[.]gommask[.]online, was formed in March 2024.

Indicators of Compromise associated with this hazard can be discovered here.

The mitigation and response process

The finding of this movement emphasizes the significance of strong cybersecurity standards. Institutions should:

1. Update protection software to contain the latest hazard definitions.
2. Educate workers about phishing attacks and secure email techniques.
3. Execute progressive network monitoring to catch unique actions.
4. Keep frequent backups of essential data to mitigate the effect of possible breaches.

The continued moves of the SneakyChef hazard actor highlight the need for ongoing caution in the digital era.