A new malicious campaign employs SugarGh0st RAT to target government agencies. Artifacts in the decoy documents hint at a potential Chinese-speaking actor.
SugarGh0st Uses Spear Phishing to Attack Governments
Researchers have uncovered a new wave of cyber threats targeting government entities in Uzbekistan and South Korea in recent cybersecurity developments. Utilizing a customized variant of the infamous Gh0st RAT, dubbed SugarGh0st, the campaign displays a sophisticated and multi-stage infection chain.
Targets were focused on foreign ministry personnel based on lures about investment projects, account credentials, and internal memos. These topics were selected as likely to entice victims to enable the malware unknowingly while viewing what seemed like legitimate work documents. Overall, the pick of targets point at the relationship of SugarGh0st’s masters to Chinese government.
Multi-stage infection chain
Once delivered through emails, the malicious documents trigger a multi-stage process to install SugarGh0st on systems.It is performed using JavaScript and shortcut files execute commands to drop the RAT executable, decrypt it, and activate full functionality in the background. Techniques like LotL binaries, side-loading DLLs, and abusing legitimate Windows utilities help mask the deployment from defenses and user detection. Aimed at foreign ministry networks, the operational security exhibits an adversary carefully honing its tradecraft before targeting sensitive agencies.
Following the installation, SugarGh0st offers advanced monitoring, exfiltration, and manipulation capabilities. This surpasses typical malware in commodity cybercrime operations. Functions allow recording keystrokes, activating webcams, executing files, or killing processes – all directed dynamically by attacker commands. Such comprehensive access risks the integrity of infected government agencies through unconstrained internal spying.
Depending on operational security practices, lateral movement could also jeopardize more comprehensive departments and ministry networks. While assessing the total damage remains challenging, the implications are clearly severe. Moreover, this has allowed stolen secrets to impact international affairs or relations.
A Gh0st RAT Variant and Potential Chinese Connection
While the attribution remains speculative, artifacts in the decoy documents hint at a potential Chinese-speaking actor. Two files within the campaign contain Chinese characters in their “last modified by” names, suggesting a linguistic connection to China. As the name suggests, SugarGh0st represents an evolution of existing Chinese-linked Gh0st RAT variants in circulation for over 15 years. Developed by the Chinese group 红狼小组 (C.Rufus Security Team), Gh0st RAT has been active since 2008.
SugarGh0st retains the core functionalities of its predecessor but features customized reconnaissance capabilities and a modified communication protocol. The malware granted threat actors total remote control to pillage confidential data from infected networks. Enhancements include:
- expanded anti-detection tactics
- reconnaissance commands tailored to harvest documents and credentials
- new communications disguising C2 servers as Google Drive domains
Attacks on government entities, particularly embassies and ministries, is not a new phenomenon. Countries spied on each other all the time, and the tools were the only difference. While other countries do not expose their software, Asian government-sponsored hackers seem to not be ashamed of their software. And Chinese and North Korean hackers appear to be among the most public ones.
