Threat Research

SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques

Securonix

Cisco Talos attributed an espionage campaign leveraging SugarGh0st RAT to the newly named threat actor “SneakyChef,” targeting ministries and embassies across EMEA and Asia since August 2023. The campaign uses decoy documents, SFX RAR-based infection chains, and persistent C2 infrastructure to infiltrate government agencies and related organizations. #SneakyChef #SugarGh0st #SpiceRAT #YahooParanoids #CiscoTalos

Keypoints

  • Cisco Talos discovered a new threat actor, SneakyChef, using SugarGh0st RAT since August 2023 to target multiple regions including EMEA and Asia.
  • The group leverages decoy documents impersonating government ministries, embassies, and international conferences to lure victims.
  • An additional infection chain was identified using self-extracting (SFX) RAR archives to deliver the malware, alongside previously reported methods.
  • SneakyChef is assessed to be Chinese-speaking based on language artifacts, malware lineage from Gh0st RAT, and target selection.
  • Targeted entities include Ministries of Foreign Affairs in Angola, Turkmenistan, Kazakhstan, India, and Latvia, among others.
  • Persistence is achieved via registry modification (UserInitMprLogonScript), loading “update.dll” through regsvr32.exe, and decrypting the RAT payload.
  • The campaign continues to use previously reported C2 infrastructure such as account[.]drive-google-com[.]tk and newly registered domains like account[.]gommask[.]online.

MITRE Techniques

  • [T1566] Phishing – Delivered malicious RAR archives via phishing emails (‘…two infection chains that utilized a malicious RAR with an LNK file, likely delivered via phishing email…’).
  • [T1036] Masquerading – Used decoy documents mimicking ministries, embassies, and conferences (‘…decoy documents of government agencies, most of which are related to Ministries of Foreign Affairs or embassies…’).
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Executed malicious VB script for payload deployment (‘…the SFX script executes to drop… a malicious VB script…’).
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence through registry key UserInitMprLogonScript (‘…the malicious VB script establishes persistence by writing the command to the registry key…’).
  • [T1218.010] Signed Binary Proxy Execution: Regsvr32 – Used regsvr32.exe to load DLL (‘…command runs and launches the loader DLL “update.dll” using regsvr32.exe…’).
  • [T1055] Process Injection – Loader decrypts and injects SugarGh0st into a process (‘…the loader reads the encrypted SugarGh0st RAT, decrypts it and injects it into a process…’).

Indicators of Compromise

  • [Domain] C2 infrastructure – account[.]drive-google-com[.]tk, account[.]gommask[.]online
  • [File Name] Malicious payload components – update.dll, authz.lib, and malicious VB script
  • [Registry Key] Persistence mechanism – HKCUEnvironmentUserInitMprLogonScript

Source: https://blog.talosintelligence.com/sneakychef-sugarghost-rat/