In November of last year, researchers discovered that a suspected Chinese threat actor was using the SugarGh0st malware in a cyber-espionage and surveillance campaign that was directed toward government officials in South Korea and Uzbekistan. The malware, according to the study, is a customized version of Gh0st RAT, a remote administration tool that originally came to light in 2008 when the C. Rufus Security Team, a China-based threat group, made its source code available to the public. Since then, it has been utilized in several ongoing campaigns and attacks by various Chinese groups, including nation-state actors.

Cybersecurity experts discovered that SugarGh0st differed from Gh0st RAT in multiple significant aspects and was an improvement over it. For example, SugarGh0st seems to be built with reconnaissance features for particular goals. One of the malware's newfound talents was the ability to locate and recognize particular Open Database Connectivity (OBDC) registry keys, probably for the aim of data exfiltration and side-stepping security measures. Additionally, malicious code can be loaded and executed from library files with particular file extensions and function names according to the latest version. It also allows remote operators to use the command-and-control (C2) interface to send unique commands.

Many of SugarGh0st's other primary features, according to the researchers, are comparable to those seen in the Gh0st RAT malware. These included capabilities to download more malware, spy via the system webcam, log keystrokes in real-time and offline, and grant complete remote control of the compromised machine.

Researchers noticed that in the UNK_SweetSpecter campaign, the threat actor sent targets an email with a zip archive attached and an AI-themed subject line using a free account. The email seemed to come from someone who had experienced issues with a certain AI product. It requested the recipient's assistance in answering any queries the user might have had concerning the alleged problem or in sending the questions to the appropriate technical staff via the attached document.

After delivery, the accompanying zip file left a shortcut file on the infected system. This file is almost the same as the one that researchers revealed in their SugarGh0st study from the previous year. The shortcut file launched a JavaScript dropper containing a base64-encrypted encrypted program, an ActiveX side loading tool, and a bogus document. When SugarGh0st was installed on the victim system and able to communicate with a C2 server under the attacker's control, the infection chain came to an end.

In light of recent reports of US government efforts to limit Chinese access to generative AI technologies, the campaign is probably an attempt by a China-affiliated actor to collect generative AI secrets through cyber theft. A Google software engineer was charged earlier this year by the US Department of Justice with stealing AI trade secrets from the corporation and trying to apply them to two AI-related technology businesses in China, one of which he started.

Impact

• Sensitive Information Theft
• Data Exfiltration
• Cyber Espionage
• Keylogging

Indicators of Compromise

SHA1

• 801509fb6783c9e57edc67a72dde3c62080ffbaf

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.