Security researchers have recently raised the alarm about a new cyberespionage campaign that is specifically targeting artificial intelligence experts across various sectors such as private industry, government, and academia. The perpetrators behind these attacks, believed to be of Chinese origin, are employing a remote access trojan (RAT) known as SugarGh0st.

According to an analysis conducted by security firm Proofpoint, the timing of this latest campaign coincides with a report from Reuters on May 8, 2024, unveiling the US government’s efforts to restrict Chinese access to generative artificial intelligence. This suggests a possible motive for the Chinese-aligned cyber actors to target individuals with access to such information in order to advance Chinese development goals.

While Proofpoint has not definitively attributed these attacks to a known threat actor or a state-aligned entity, they have tentatively tied the activity to a temporary alias known as UNK_SweetSpecter. SugarGh0st, a modified version of the Gh0stRAT trojan, has been previously utilized in attacks by various Chinese groups. Cisco Talos researchers initially documented SugarGh0st in November 2023 during attacks on government targets in Uzbekistan and South Korea.

The attack vector in this campaign begins with targeted email phishing that uses an AI-themed lure to trick victims. The attackers impersonate users of a familiar tool the victims use and request assistance with an issue. The phishing emails contain a malicious ZIP attachment with a .LNK file, which is a common method for distributing malware. The LNK file includes command line parameters to execute JavaScript code, serving as a dropper for additional malware payloads.

The JavaScript dropper installs a decoy document, an ActiveX tool exploited for sideloading, and an encrypted binary through base64 encoding. This technique allows the dropper to create a registry startup entry and load the SugarGh0st binary in memory using the ActiveX library to execute shellcode on the system.

The SugarGh0st RAT establishes a connection with a remote command-and-control server unique from the one used in the previous November attacks. Its capabilities include gathering system information and setting up a reverse shell for attackers to access the system and issue commands. Proofpoint has observed several highly targeted attack campaigns leveraging SugarGh0st since November, including incidents involving a US telecommunications company, an international media organization, a South Asian government entity, and approximately 10 individuals linked to a prominent US-based AI organization.

While the specific state objectives behind these campaigns remain uncertain, the thematic focus on AI tools, targeting of AI experts, and the precision of the attacks indicate a strong interest in acquiring non-public information related to generative artificial intelligence. The Proofpoint report provides indicators of compromise in the form of file hashes, URLs, and IP addresses used in the campaign, along with detection signatures for identifying and mitigating these threats.

In conclusion, the emergence of this cyberespionage campaign targeting AI experts underscores the escalating threat landscape faced by organizations and individuals involved in cutting-edge technologies. Vigilance, cybersecurity awareness, and robust defense measures are essential to safeguard sensitive information and prevent unauthorized access by threat actors seeking to exploit vulnerabilities for malicious purposes.

Source link