Chinese Cybercriminals Launch SugarGh0st RAT Campaign to Attack South Korea, Uzbekistan

This dangerous remote access trojan or RAT is wrecking havoc in two countries.

A new breed of malware has emerged under the operations of alleged Chinese-speaking threat actors. Reports say that the group orchestrated a malicious campaign, targeting the Uzbekistan Ministry of Foreign Affairs and South Korean users.

The weapon of choice in this offensive is the notorious remote access trojan (RAT) named SugarGh0st RAT.

SugarGh0st RAT Scheme Strikes

Chinese Cybercriminals Launch SugarGh0st RAT Campaign to Attack South Korea, Uzbekistan
Cisco Talos discovered that the SugarGh0st RAT malware is targeting Uzbekistan and South Korea.They also uncovered that Chinese threat actors are behind this operation. Fahim Reza from Unsplash

Commencing no later than August 2023, the attacker employs two distinct infection sequences to deliver the customized variant of Gh0st RAT, per The Hacker News.

This RAT boasts features tailored for remote administration tasks, guided by the command and control (C2) directives. Researchers from Cisco Talos, Ashley Shen, and Chetan Raghuprasad shared some findings on how hackers operate.

The assault kicks off with a phishing email housing decoy documents. Upon opening, a multi-stage process unfolds, ultimately leading to the deployment of SugarGh0st RAT.

The phishing email conceals a heavily obfuscated JavaScript dropper within a Windows Shortcut file embedded in a RAR archive attachment.

Decoy Unveiled

As the JavaScript decodes and drops embedded files into the %TEMP% folder, a batch script, a customized DLL loader, an encrypted SugarGh0st payload, and a decoy document come to light.

While the decoy document distracts the victim, the batch script runs the DLL loader, side-loading it with a copied version of the legitimate Windows executable rundll32.exe. This process decrypts and launches the SugarGh0st payload.

Alternative Attack Vector

A second variant of the attack follows a similar pattern, initiating with a RAR archive housing a malicious Windows Shortcut file. However, in this iteration, DynamicWrapperX is employed to run shellcode, facilitating the launch of SugarGh0st.

As a 32-bit dynamic-link library (DLL) written in C++, SugarGh0st establishes contact with a hard-coded C2 domain. This enables the transmission of system metadata to the server, launching a reverse shell and executing arbitrary commands.

Noteworthy functionalities include process enumeration and termination, screenshot capture, file operations, and event log clearance to evade detection.

Chinese Origins and Noteworthy Connections

The campaign's attribution to China is rooted in Gh0st RAT's Chinese origins and its historical adoption by Chinese threat actors since 2008. Additionally, the use of Chinese names in the decoy files' metadata further solidifies these connections.

"Chinese actors also have a history of targeting Uzbekistan. The targeting of the Uzbekistan Ministry of Foreign Affairs also aligns with the scope of Chinese intelligence activity abroad," the researchers said.

This development aligns with the increasing focus of Chinese state-sponsored groups on Taiwan in the past six months, employing innovative tactics such as repurposing residential routers to mask their intrusions, as reported by Google.

Since threat operators are becoming smarter in launching sneaky schemes at their targets, it's always recommended to keep up with them by using effective mitigation methods.

For more news about malware, spyware, or any form of malicious software, just visit Tech Times to stay updated.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics