Chinese Hackers Using SugarGh0st RAT to Target South Korea and Uzbekistan
A suspected threat actor, fluent in Chinese, has been identified in a cyber campaign targeting the Uzbekistan Ministry of Foreign Affairs and South Korean users. This malicious effort, active since at least August 2023, revolves around the use of a remote access trojan (RAT) known as SugarGh0st RAT, a customized version of the infamous Gh0st RAT, also known as Farfli.
The attackers employ two distinct infection methods to deliver the malware, both characterized by complex processes. Cisco Talos researchers, Ashley Shen and Chetan Raghuprasad, detailed that SugarGh0st RAT comes equipped with functionalities designed to execute remote administration tasks as directed by the command and control (C2) server, including a modified communication protocol.
The assault kicks off with phishing emails housing deceptive documents. Once these documents are opened, a multi-stage procedure is triggered, leading to the deployment of SugarGh0st RAT. The deceptive documents are embedded within a heavily obfuscated JavaScript dropper, concealed within a Windows Shortcut file found in the RAR archive email attachment.
Shen and Raghuprasad explained, "The JavaScript decodes and drops the embedded files into the %TEMP% folder, including a batch script, a customized DLL loader, an encrypted SugarGh0st payload, and a decoy document." Meanwhile, the batch script runs the DLL loader in the background, sideloading it with a copied version of a legitimate Windows executable, rundll32.exe, to decrypt and launch the SugarGh0st payload.
A second variant of the attack employs a RAR archive containing a malicious Windows Shortcut file. This file, posing as a lure, triggers the JavaScript using DynamicWrapperX to execute shellcode, initiating the SugarGh0st RAT.
SugarGh0st RAT, a 32-bit dynamic-link library (DLL) crafted in C++, establishes contact with a hard-coded command-and-control (C2) domain. This enables the transmission of system metadata to the server, facilitating actions such as launching a reverse shell and executing arbitrary commands. The malware also possesses capabilities to enumerate and terminate processes, capture screenshots, conduct file operations, and erase machine event logs, all aimed at concealing its presence and avoiding detection.
The campaign connection to China is rooted in Gh0st RAT Chinese origins and its widespread adoption by Chinese threat actors. The release of its source code in 2008 further fueled its popularity. Additionally, the use of Chinese names in the "last modified by" field within the metadata of the decoy files serves as compelling evidence of the campaign ties to China.