June 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
SharpPanda APT Group – Active IOCs
June 25, 2024
New Campaign ‘RedJuliett’ Targets 75 Taiwanese Organizations – Active IOCs
June 25, 2024
SharpPanda APT Group – Active IOCs
June 25, 2024
New Campaign ‘RedJuliett’ Targets 75 Taiwanese Organizations – Active IOCs
June 25, 2024
Severity
High
Analysis Summary
A new remote access trojan (RAT) named SpiceRAT is being utilized by the threat actor SneakyChef. This malware is part of a larger phishing campaign targeting government agencies across Europe, the Middle East, and Africa with SugarGh0st malware since at least August 2023.
The campaign involves sending phishing emails with RAR file attachments containing either SugarGh0st or SpiceRAT. These emails often use decoy PDFs related to the Turkmenistan state news agency to lure victims. Researchers said that two infection chains have been identified for the delivery of SpiceRAT, one utilizing LNK files and the other HTA files.
The LNK-based chain begins with a malicious RAR file containing a Windows shortcut which when executed triggers a series of actions that lead to the deployment of SpiceRAT. This chain involves multiple stages including a decoy PDF and side-loading of a malicious DLL.
The HTA-based chain also starts with a RAR file but the initial vector is a malicious HTA file that drops a base64-encoded downloader and creates a series of scheduled tasks to maintain persistence and execute the malicious payload.
SpiceRAT itself is a sophisticated tool with multiple components including a legitimate executable for side-loading a malicious DLL an encrypted payload, and plugins for further exploitation. The RAT is capable of extensive reconnaissance, collecting system information, and sending it to command and control (C2) servers. It also features capabilities to download and execute additional payloads, enhancing the threat to the victim’s network.
The analysis revealed that SneakyChef uses several C2 servers with hardcoded URLs to manage the infected machines. These servers respond with encrypted data that the RAT uses to download and execute plugins. The infrastructure and tactics employed show overlaps with other known malware campaigns suggesting that SneakyChef might be a Chinese-speaking actor. The choice to use legitimate applications like Samsung's helper application for sideloading malicious components is particularly noteworthy and aligns with tactics seen in previous campaigns involving PlugX and SPIVY RATs.
Researchers recommend users implement protections to mitigate the risk of SpiceRAT and other related threats. The comprehensive analysis underscores the complexity and evolving nature of APT campaigns, emphasizing the need for robust cybersecurity measures and continuous monitoring.
Impact
- Unauthorized Access
- Sensitive Information Theft
- File Manipulation
- Remote Command Execution
Indicators of Compromise
Domain Name
- account.drive-google-com.tk
- account.gommask.online
- stock.adobe-service.net
IP
- 94.198.40.4
- 45.144.31.57
MD5
- b4a291220199a005eb4946659e5b8494
- 3af4ee25eb8be2c6e5ee624ddf833d31
- 8c48b79dbf76a916aeda1735642bec5a
- db880547e8fb48f253b5c2a415c2e136
- d5b36524e1f69132a1ca8e247d69e500
- 604784e8acb856b4fe063c0774479816
SHA-256
- 6ca2415aabb806a871889c2ab48ad05b1ba444b5867ceadbcea3ab7f23de72f4
- b84ebbe57151844ac7ac9fc5d488e4696f37f98779d13dceafe6c5a7f2219a4c
- 0374a9812c7e43db1bde605cc3decff3d77c8b041b959a5422e4da0b60e0f6dc
- 48c65bb99ce954df0ee492b92e634d602d621295be2ff87e57fcb07c8b33db8b
- e2330f64c92a49927098f8a07de9da8fc54c87a89dc549f6ebdcf3bc78732db2
- 9d4283c05417c0b49a00c6e5159eb5bcb52142036f94fcdfb9712b231d020955
SHA-1
- 2d82c7e72a78a9e5e39fd404a2b777fd0da7b7b0
- 5499ec4da64d247321a87124cdd6d5b1f3b79719
- 507b552b38c8ca5a20c7cf1341fc8e48d9bc3784
- 21dfcd4b0f814a101ece75a53cd2cec26612e666
- 4c48a907bb968029034579665699a826a7cea5a9
- 24099c2a74d3cbdb26e5c546876252298d0f3c22
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure all operating systems and software are up to date with the latest security patches.
- Employ reliable antivirus and antimalware software to detect and block known threats.
- Regularly update these tools to maintain the latest threat intelligence.
- Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
- Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
- Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
- Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
- Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
- Segment your network to limit lateral movement for attackers.
- Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
- Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
- Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.