A suspected Chinese language-speaking risk actor has been attributed to a malicious marketing campaign that targets the Uzbekistan Ministry of Overseas Affairs and South Korean customers with a distant entry trojan referred to as SugarGh0st RAT.
The exercise, which commenced no later than August 2023, leverages two totally different an infection sequences to ship the malware, which is a personalized variant of Gh0st RAT (aka Farfli).
It comes with options to “facilitate the distant administration duties as directed by the C2 and modified communication protocol based mostly on the similarity of the command construction and the strings used within the code,” Cisco Talos researchers Ashley Shen and Chetan Raghuprasad mentioned.
The assaults start with a phishing e-mail bearing decoy paperwork, opening which prompts a multi-stage course of that results in the deployment of SugarGh0st RAT.
The decoy paperwork are integrated inside a closely obfuscated JavaScript dropper that is contained inside a Home windows Shortcut file embedded within the RAR archive e-mail attachment.
“The JavaScript decodes and drops the embedded information into the %TEMP% folder, together with a batch script, a personalized DLL loader, an encrypted SugarGh0st payload, and a decoy doc,” the researchers mentioned.
The decoy doc is then exhibited to the sufferer, whereas, within the background, the batch script runs the DLL loader, which, in flip, side-loads it with a copied model of a official Home windows executable referred to as rundll32.exe to decrypt and launch the SugarGh0st payload.
A second variant of the assault additionally begins with a RAR archive containing a malicious Home windows Shortcut file that masquerades as a lure, with the distinction being that the JavaScript leverages DynamicWrapperX to run shellcode that launches SugarGh0st.
SugarGh0st, a 32-bit dynamic-link library (DLL) written in C++, establishes contact with a hard-coded command-and-control (C2) area, permitting it to transmit system metadata to the server, launch a reverse shell, and run arbitrary instructions.
It may additionally enumerate and terminate processes, take screenshots, carry out file operations, and even clear the machine’s occasion logs in an try to cowl its tracks and evade detection.
The marketing campaign’s hyperlinks to China stem from Gh0st RAT’s Chinese language origins and the truth that the totally practical backdoor has been extensively adopted by Chinese language risk actors through the years, partially pushed by the discharge of its supply code in 2008. One other smoking gun proof is using Chinese language names within the “final modified by” area within the metadata of the decoy information.
“The Gh0st RAT malware is a mainstay within the Chinese language risk actors’ arsenal and has been energetic since at the very least 2008,” the researchers mentioned.
“Chinese language actors even have a historical past of concentrating on Uzbekistan. The concentrating on of the Uzbekistan Ministry of Overseas Affairs additionally aligns with the scope of Chinese language intelligence exercise overseas.”
The event comes as Chinese language state-sponsored teams have additionally more and more focused Taiwan within the final six months, with the attackers repurposing residential routers to masks their intrusions, in line with Google.
