Cisco Talos uncovered a campaign that delivers a new remote access trojan called “SugarGh0st,” likely active since August 2023 and targeting Uzbekistan’s Ministry of Foreign Affairs and users in South Korea. The operation uses two infection chains via Windows Shortcut (LNK) with malicious JavaScript, including a DynamixWrapperX loader to execute the SugarGh0st payload, and shows signs pointing to a Chinese-speaking actor.
#SugarGh0st #Gh0stRAT #Uzbekistan #MinistryOfForeignAffairs #SouthKorea #DynamixWrapperX #LNK #JavaScript
#SugarGh0st #Gh0stRAT #Uzbekistan #MinistryOfForeignAffairs #SouthKorea #DynamixWrapperX #LNK #JavaScript
Keypoints
- The campaign likely began in August 2023 and targets Uzbekistan’s MFA and South Korea.
- SugarGh0st is a customized Gh0st RAT variant with a modified C2 protocol and command structure.
- Two infection chains use Windows Shortcut (LNK) files embedded with malicious JavaScript to deliver components.
- One chain uses the DynamixWrapperX loader to enable Windows API calls and run shellcode.
- Decoy documents in Uzbek and Korean lure content, with C2 activity observed from South Korea IPs.
- Evidence suggests a Chinese-speaking actor and links to Gh0st RAT’s Chinese origins, with attribution leaning toward Chinese-speaking threat actor patterns.
MITRE Techniques
- [T1566.001] Phishing: Attachment – The initial vector is described as a phishing email with an attached malicious RAR archive sent to a Ministry employee. [“The initial vector of the campaign is likely a phishing email with an attached malicious RAR archive file sent to an employee of the Ministry of Foreign Affairs.”]
- [T1023] Shortcut Modification – Infection chains leverage Windows Shortcut (LNK) files embedded with malicious JavaScript to deliver components. [“Two infection chains leveraging Windows Shortcut embedded with malicious JavaScript to deliver the components to drop and launch the SugarGh0st payload.”]
- [T1059.007] JavaScript – The attack uses heavily obfuscated JavaScript as the dropper. [“The JavaScript dropper is a heavily obfuscated script embedded with base64 encoded data of the other components of the attack.”]
- [T1027] Obfuscated/Compressed Files and Information – Obfuscated JavaScript and encoded payloads are used to conceal the dropper and components. [“heavily obfuscated script embedded with base64 encoded data.”]
- [T1218.005] Rundll32 – The dropper sideloads a DLL and executes via a copied rundll32, enabling execution of the loader. [“sideloading it with a copied rundll32.”]
- [T1055] Process Injection – The loader injects and runs shellcode via DynamicWrapperX to execute SugarGh0st in memory. [“DynamixWrapperX loader to inject and run the shellcode.”]
- [T1060] Registry Run Keys/Startup Folder – The second infection chain creates a Run key (CTFMON.exe) for persistence. [“creating a registry subkey called ‘CTFMON.exe’ in the Run registry key.”]
- [T1056.001] Keylogging – SugarGh0st implements real-time and offline keylogging. [“starts the keylogging function.”]
- [T1113] Screen Capture – SugarGh0st can take screenshots of the victim machine’s desktop. [“take screenshots of the victim machine’s current desktop.”]
- [T1125] Video Capture – SugarGh0st can access the machine’s camera to capture video/images. [“access the machine camera to capture the screen.”]
- [T1071.001] Web Protocols (C2) – The malware uses C2 domains and sockets to communicate, including heartbeat patterns. [“WSAStartup functions, a hardcoded C2 domain and port to establish the connection to the C2 server.”]
- [T1070.001] Clear Windows Event Logs – The malware can clear event logs to hinder detection. [“clears the machine’s Application, Security and System event logs to hide the malicious operations.”]
Indicators of Compromise
- [Domain] C2 domains – login.drive-google-com.tk, account.drive-google-com.tk
- [Document] Uzbek decoy document – Investment project details.docx
- [Document] Korean decoy documents – Account.pdf, MakerDAO MKR approaches highest since August.docx, Equipment_Repair_Guide.docx
- [Archive] LNK-based delivery – Windows Shortcut file embedded in a malicious RAR archive
- [File] SugarGh0st/DLL loader components – libeay32.dll, DPLAY.LIB
- [File] JavaScript dropper – 204158968.js
- [File] Decoy document typically opened to masquerade – and 2 more decoy documents
Read more: https://blog.talosintelligence.com/new-sugargh0st-rat/