New Gh0st RAT Variant "SugarGh0st RAT" Runs Espionage Campaigns

A suspected Chinese threat actor is actively engaged in a cyberespionage campaign targeting users in Uzbekistan and South Korea, as disclosed by Cisco Talos. The discovery, supported by the identification of four samples, underscores a strategic focus on these specific regions. Cisco Talos clarifies that the targeting criteria are "based on the language of the decoy documents, the lure content, and distribution indicators." Notably, one sample specifically targeted the Ministry of Foreign Affairs of Uzbekistan, employing a decoy document related to a presidential decree, with the information noted to have been "published in multiple Uzbekistan sources in 2021." Additionally, three other decoy documents in Korean suggest a potential emphasis on South Korea. Talos identified artifacts hinting that the actor may be Chinese-speaking, aligning with the historical context of Chinese threat actors targeting Uzbekistan.

The threat actor employs a remote access trojan (RAT) identified by Cisco Talos as the "SugarGh0st" RAT, a customized variant of the well-known Gh0st RAT developed by a Chinese group. This variant, SugarGh0st, showcases advanced features, bolstering reconnaissance capabilities by actively searching for specific Open Database Connectivity (ODBC) registry keys. Talos reports two distinct infection chains in this campaign. The first involves a malicious RAR file with a Windows Shortcut LNK file, executing a JavaScript dropper that ultimately deploys SugarGh0st. The second infection chain utilizes the DynamicWrapperX loader to inject and run shellcode, decrypting and executing SugarGh0st. In both infection chains, native Windows binaries, including rundll32.exe and wscript.exe, are copied into the %TEMP% folder before execution.

SugarGh0st's capabilities encompass keylogging, screenshot capture, system enumeration, log clearing, remote control, and data exfiltration, demonstrating the actor's extensive control over compromised systems. The RAT is also adept at managing "the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services."

Attribution to a Chinese-speaking threat actor from Cisco Talos was made with "low confidence." Their assessment was based on observed artifacts in the campaign, such as metadata within decoy files featuring Simplified Chinese characters and the deployment of a customized variant of the Gh0st RAT malware, a tool commonly utilized by Chinese threat actors.