A Chinese-language advanced persistent threat (APT) has been conducting espionage activities on government ministries across the eastern hemisphere. The first signs of this cyber threat appeared in late August of last year when an unidentified group started using a modified version of Gh0st RAT, known as “SugarGh0st RAT,” to target entities in South Korea and the Ministry of Foreign Affairs in Uzbekistan. Following this initial discovery, Cisco Talos recently disclosed in a blog post that the group, now known as “SneakyChef,” has expanded its operations to include multiple countries in its new campaigns.
According to Cisco Talos, SneakyChef has been targeting various government ministries and entities, including the ministries of foreign affairs in Angola, India, Kazakhstan, Latvia, and Turkmenistan. Additionally, the group has focused on the ministries of agriculture and forestry, as well as fisheries and marine resources in Angola, and the Saudi Arabian embassy in Abu Dhabi. Despite these findings, Talos has refrained from attributing SneakyChef to any specific government, emphasizing the Chinese language characteristics present in its code, its utilization of SugarGh0st RAT, and the similar profile of its targets.
In its latest activities, SneakyChef has transitioned from using malicious RAR files embedded in LNK files for initial infections to employing self-extracting RARs (SFX RAR). This shift has provided some advantages for the threat actors. Nick Biasani, head of outreach at Cisco Talos, explained that with the official support for RAR files in Windows 11, the use of SFX RAR eliminates the need for additional software, thus increasing the likelihood of successful infections.
The SFX RAR payloads dropped by SneakyChef include a decoy document, a DLL loader, encrypted malware (either SugarGh0st RAT or the newer tool, SpiceRAT), and a malicious Visual Basic (VB) script for establishing persistence. The decoy documents used in these campaigns are genuine and pertain to government-related matters, such as upcoming meetings or conferences. Interestingly, Talos observed that the decoy documents were not publicly available on the web, hinting at possible espionage activities to obtain them.
According to Biasani, the initial wave of government cyber espionage typically involves broad attacks aimed at infecting numerous targets to establish footholds and gather data. As the threat actors seek access to more secure government entities, the sophistication of their attacks increases, showcasing more advanced tactics and techniques.
In conclusion, the activities of the SneakyChef APT group underscore the persistent threat posed by state-sponsored cyber espionage against government ministries and entities in the eastern hemisphere. With their evolving tactics and expanding target list, cybersecurity experts continue to monitor and mitigate the risks associated with such malicious activities to safeguard critical government infrastructure and sensitive information.