New Gh0st RAT Variant "SugarGh0st RAT" Runs Espionage Campaigns
A suspected Chinese threat actor is actively engaged in a cyberespionage campaign targeting users in Uzbekistan and South Korea, as disclosed by Cisco Talos. The discovery, supported by the identification of four samples, underscores a strategic focus on these specific regions. Cisco Talos clarifies that the targeting criteria are "based on the language of the decoy documents, the lure content, and distribution indicators." Notably, one sample specifically targeted the Ministry of Foreign Affairs of Uzbekistan, employing a decoy document related to a presidential decree, with the information noted to have been "published in multiple Uzbekistan sources in 2021." Additionally, three other decoy documents in Korean suggest a potential emphasis on South Korea. Talos identified artifacts hinting that the actor may be Chinese-speaking, aligning with the historical context of Chinese threat actors targeting Uzbekistan.
SugarGh0st's capabilities encompass keylogging, screenshot capture, system enumeration, log clearing, remote control, and data exfiltration, demonstrating the actor's extensive control over compromised systems. The RAT is also adept at managing "the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services."
Attribution to a Chinese-speaking threat actor from Cisco Talos was made with "low confidence." Their assessment was based on observed artifacts in the campaign, such as metadata within decoy files featuring Simplified Chinese characters and the deployment of a customized variant of the Gh0st RAT malware, a tool commonly utilized by Chinese threat actors.