In a recent development, Talos Intelligence has uncovered a sophisticated cyber campaign attributed to the threat actor SneakyChef. This operation, which began in early August 2023, leverages the SugarGh0st RAT and other malware to target government agencies, research institutions, and various organizations worldwide. Initially targeting users in Uzbekistan and South Korea, the campaign has since expanded its reach to include a wider geographical area across EMEA, Asia, and Europe.
The attackers behind this campaign use decoy documents to impersonate government agencies and research institutions in order to lure victims. These documents include government-themed lures such as circulars, reports, and announcements from ministries and embassies, as well as research conference-themed lures like abstracts, application forms, and invitations to conferences.
The malware and infection chain of this campaign involve two infection chains utilizing a malicious RAR with an LNK file, likely delivered via phishing email. The campaign utilizes the SugarGh0st RAT and another RAT named “SpiceRAT,” with the infection chain using SFX RAR files as the initial attack vector. When executed, these files drop a decoy document, a DLL loader, encrypted SugarGh0st, and a malicious VB script into the victim’s temporary user profile folder.
The VB script establishes persistence by writing a command to the registry key UserInitMprLogonScript, which executes when a user logs into the system. The loader DLL reads the encrypted SugarGh0st RAT, decrypts it, and injects it into a process, a technique similar to a previous SugarGh0st campaign disclosed by the Kazakhstan government in February.
Despite an initial disclosure in November 2023, the SneakyChef threat actor continues to utilize both old and new command and control (C2) domains. The C2 domain account[.]drive-google-com[.]tk remained active until mid-May, while a new domain, account[.]gommask[.]online, was created in March 2024. Indicators of Compromise associated with this threat can be found on the Talos Intelligence report.
In response to this cyber campaign, organizations are advised to update security software with the latest threat definitions, educate employees about phishing attacks and safe email practices, implement advanced network monitoring to detect unusual activities, and maintain regular backups of critical data to mitigate the impact of potential breaches. The ongoing activities of the SneakyChef threat actor highlight the importance of continuous vigilance in the digital age.
This discovery serves as a stark reminder of the ever-evolving landscape of cyber threats and the critical need for robust cybersecurity measures. As organizations continue to navigate the complex digital environment, staying ahead of threat actors like SneakyChef requires vigilance, preparedness, and a proactive approach to cybersecurity.