Proofpoint tracks a SugarGh0st RAT campaign targeting US AI-related organizations, labeled UNK_SweetSpecter. The operation uses targeted spearphishing with a zip attachment and a multi-stage JavaScript dropper, with evolving C2 infrastructure. Hashtags: #SugarGh0st #UNK_SweetSpecter #Proofpoint #accountgommaskonline
Keypoints
- SugarGh0st RAT campaign targeted U.S. AI researchers and organizations; Proofpoint designates the cluster as UNK_SweetSpecter.
- The May 2024 lure used a free email account to entice targets to open an attached zip archive.
- The infection chain deploys a LNK shortcut that launches a JavaScript dropper, which includes a decoy document, an ActiveX tool used for sideloading, and a base64-encoded, encrypted binary.
- The JavaScript dropper runs Windows APIs directly from JavaScript, enabling a multi-stage shellcode derived from DllToShellCode to XOR-decrypt and aplib-decompress the SugarGh0st payload.
- Persistence is achieved via a slightly modified registry key name (CTFM0N.exe).
- C2 infrastructure shifted to account.gommask[.]online with hosting at 43.242.203[.]115 and previously 103.148.245[.]235; all related to AS142032.
- The campaign appears highly targeted (less than 10 individuals connected to a single US AI organization) and timing aligns with broader AI-mobility/news around May 2024.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – ‘the May 2024 campaign used a free email account to send an AI-themed lure enticing the target to open an attached zip archive.’
- [T1059.007] Command and Scripting Interpreter: JavaScript – ‘The JavaScript dropper contained a decoy document, an ActiveX tool that was registered then abused for sideloading, and an encrypted binary, all encoded in base64.’
- [T1574.002] Hijack Execution Flow: DLL Side-Loading – ‘an ActiveX tool that was registered then abused for sideloading.’
- [T1140] Deobfuscation/Decode Files or Information – ‘encrypted binary, all encoded in base64′ and the use of XOR decrypt and aplib decompress the SugarGh0st payload.’
- [T1112] Modify Registry – ‘slightly modified registry key name for persistence, CTFM0N.exe.’
- [T1071.001] Web Protocols – ‘C2 communications shifted to account.gommask[.]online; domain hosting details’ (explanation of C2 domain/IP usage).
- [T1041] Exfiltration Over C2 Channel – ‘data exfiltration methods’ and ‘C2 heartbeat protocol’ mentioned in the payload behavior.
Indicators of Compromise
- [SHA256] context – da749785033087ca5d47ee65aef2818d4ed81ef217bfd4bc07be2d0bf105b1bf, 71f5ce42714289658200739ce0bbe439f6ef6fe77a5f6757b1cf21200fc59af7, and 3 more hashes
- [File name] context – some problems.zip, some problems.lnk, and 2 more file names
- [Domain] context – account.gommask[.]online
- [IP] context – 43.242.203[.]115