Chinese-Speaking SneakyChef Utilizes Decoy Documents and Diplomatic Lures Against Foreign Affairs Ministries

SneakyChef, an espionage-focused threat group that predominantly targets government agencies and ministries of foreign affairs across multiple countries, was identified by researchers from Cisco Talos in an expansive cyber-espionage campaign. According to Cisco Talos researchers, the group is assessed with "medium confidence" as likely being Chinese-speaking and has been active since at least August 2023, targeting various countries across the EMEA and Asia regions with the malware SugarGh0st and SpiceRAT. Attribution of this threat actor to Chinese state-backed operations is supported by the deployment of SugarGh0st, since the remote access trojan (RAT) is identified by Talos as a variant of Gh0st RAT, which is often utilized by Chinese-affiliated threat actors. Their focus on these targets is evident in decoy documents themed around governmental and diplomatic communications. Cisco Talos's examination of decoy documents, assessed with "low confidence," suggests targets include entities such as the Ministry of Foreign Affairs of Kazakhstan, the Ministry of Foreign Affairs of India, and the Embassy of the Kingdom of Saudi Arabia in Abu Dhabi, among others. The contents of these documents often contain information related to international relations and policy matters, leveraging specific geopolitical interests as part of their social engineering schemes.

The latest attack chain utilized by SneakyChef incorporates self-extracting (SFX) archive files, presumably delivered through phishing emails. This file delivers a VBScript designed to establish persistence in the victim's system by modifying the UserInitMprLogonScript registry key to execute regsv32.exe, which in turn loads a malicious DLL during the user's next login. "When a user logs into the system, the command runs and launches the loader DLL 'update.dll' using regsvr32.exe. The loader reads the encrypted SugarGh0st RAT 'authz.lib', decrypts it, and injects it into a process. This technique is the same as that of the SugarGh0st campaign disclosed by the Kazakhstan government in February," explain Cisco Talos researchers. The threat actor's use of domain names mimics legitimate services, such as a Google Drive domain for command and control (C2) communications, to aid their stealth capabilities.

Research on the SneakyChef threat actor has been aided by insights from the Yahoo! Paranoids Advanced Cyber Threats Team and Proofpoint. The SugarGh0st malware was tracked by Proofpoint researchers in a campaign targeting Artificial Intelligence specialists in the United States, particularly within sectors associated with education, private industry, and government entities. The research from Proofpoint's threat research team aligns with Cisco Talos's concern about highly targeted cyber campaigns with malware attributed to Chinese-speaking actors.