Threat Research

Unveiling SpiceRAT: SneakyChef’s latest tool targeting EMEA and Asia

Talos

SpiceRAT, a new remote access trojan uncovered by Cisco Talos, is used by the SneakyChef threat actor in a campaign targeting government agencies in EMEA and Asia. The operation features two infection chains (LNK- and HTA-based) delivering SpiceRAT alongside SugarGh0st via phishing emails and increasingly sophisticated loader chains.
#SneakyChef #SpiceRAT

Keypoints

  • SneakyChef campaigns target government agencies across multiple countries in EMEA and Asia, delivering SugarGh0st and SpiceRAT via phishing emails.
  • Cisco Talos identified two infection chains to deliver SpiceRAT: LNK-based and HTA-based, each with multi-stage payloads and decoys.
  • The LNK-based chain drops a hidden folder containing a malicious launcher, a DLL loader, and SpiceRAT components, orchestrated through a malicious shortcut masquerading as a PDF.
  • The HTA-based chain uses a malicious HTA file that drops a VBScript downloader and a batch script, which decodes a base64 payload and establishes persistence via scheduled tasks.
  • SpiceRAT’s architecture includes a legitimate loader (sideloaded DLL), an encrypted payload, and downloadable plugins, enabling memory-based decryption, injection, and plugin execution.
  • SpiceRAT communicates with attacker-controlled C2 servers via HTTP/S, using hardcoded URLs and a custom three-byte prefix for requests/responses.
  • The campaign also reveals collaboration with Yahoo! Paranoids and highlights potential similarities to PlugX/SPIVY-like load methods and DLL sideloading techniques.

MITRE Techniques

  • [T1566.001] Phishing – The campaign uses phishing emails delivering SugarGh0st and SpiceRAT via RAR attachments. “phishing emails with at least 28 different RAR file attachments to deliver either SugarGh0st or SpiceRAT.”
  • [T1204] User Execution – Victims open the malicious LNK shortcut masquerading as a PDF, triggering execution. “After a victim opens the shortcut file, which masqueraded as a PDF document, it executes an embedded command to run the malicious launcher executable…”
  • [T1027] Obfuscated/Compressed Files and Information – The HTA-based chain decodes base64 downloader and decrypts SpiceRAT payload; SpiceRAT payloads are encrypted in memory; loader decrypts in memory. “Encrypted SpiceRAT” and “decrypts it using the RC4 encryption algorithm.”
  • [T1053.005] Windows Scheduled Task – The HTA-based chain and the loader-based chain establish persistence by creating scheduled tasks to run downloader and ChromeDriver executable. “schtasks /create /tn MicrosoftEdgeUpdateTaskMachineClSAN …” and “schtasks /create /tn MicrosoftDeviceSync …”
  • [T1218.011] Signed Binary Proxy Execution (Sideload) – SpiceRAT sideloads ssMUIDLL.dll via a legitimate Samsung RunHelp application to run the malicious DLL. “legitimate executable (named ‘RunHelp.exe’) as a launcher to sideload the malicious DLL loader… masquerading as the legitimate DLL.”
  • [T1055] Process Injection – The loader side-loads ssMUIDLL.dll and decrypts/launches SpiceRAT in memory, injecting into a parent process. “the malicious loader… decrypts SpiceRAT in memory and injects … into ‘dxcap.exe’.”
  • [T1105] Ingress Tool Transfer – The downloader fetches chromeupdate.zip from attacker-controlled servers to unpack SpiceRAT components. “downloads a malicious archive file “chromeupdate.zip” from an attacker-controlled server.”
  • [T1071.001] Web Protocols – SpiceRAT uses HTTP POST to communicate with C2 servers via WININET.dll, including hardcoded URLs. “The RAT connects to the C2 server… through the HTTP POST method.”
  • [T1059.005] Command and Scripting Interpreter: VBScript – The HTA chain embeds a VBScript downloader executed by HTA before dropping additional payloads. “embedded Visual Basic script executes and drops the embedded base64-encoded downloader binary…”

Indicators of Compromise

  • [File] LNK shortcut – 2024-01-17.pdf.lnk (LNK-based infection chain) and Malicious shortcut masquerading as a PDF – used to launch the malicious launcher.
  • [File] Decoy PDFs – Microsoftpdf.pdf, Decoy PDF – used as lure in the HTA/LNK chains.
  • [File] SpiceRAT components – ssMUIDLL.dll (malicious DLL loader), CGMIMP32.HLP (encrypted SpiceRAT), Windows launcher (e.g., RunHelp.exe), and ChromeDriver.exe.
  • [Mutex] Infection markers – mutex names such as {00866F68-6C46-4ABD-A8D6-2246FE482F99} and {00861111-3333-4ABD-GGGG-2246FE482F99}.
  • [URL/Domain] C2 URLs – http://45[.]144[.]31[.]57:80/S1VRB0HpMXR79eStog35igWKVTsdbx/chromeupdate.zip; hxxp[://]94[.]198[.]40[.]4/homepage/index.aspx; hxxp[://]stock[.]adobe-service[.]net/homepage/index.aspx; hxxp[://]app[.]turkmensk[.]org/homepage[index.aspx].
  • [Domain] Turkmenistan news site referenced in decoy PDFs – metbugat.gov.tm (Neytralnyy Turkmenistan).
  • [Executable] Legitimate loaders/executables used for sideloading – RunHelp.exe (Samsung), dxcap.exe (DirectX Diagnostic, masqueraded), ChromeDriver.exe.
  • [Memory/Encryption] In-memory decryption and plugin injection – SpiceRAT loader decrypts in memory and injects SpiceRAT from memory.
  • [IP] C2 IPs – 45.144.31.57; 94.198.40.4.
  • [Domain] C2 domain references – app.turkmensk.org; turkmensk.org; stock.adobe-service.net.

Read more: https://blog.talosintelligence.com/new-spicerat-sneakychef/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint