SpiceRAT and SugarGh0st are Employed by Chinese Hackers in an International Espionage Campaign including India.

SpiceRAT and SugarGh0st are Employed by Chinese Hackers

SpiceRAT and SugarGh0st are Employed by Chinese Hackers in an International Espionage Campaign including India.

Since at least August 2023, a Chinese-speaking threat actor with the alias SneakyChef has been tied to an espionage campaign that predominantly targets government agencies throughout Asia and EMEA (Europe, Middle East, and Africa) with SugarGh0st malware. This campaign has been going on for at least a year.

SpiceRAT and SugarGh0st

ChetanRaghuprasad and Ashley Shen, researchers at Cisco Talos, stated in an investigation that was published today that “SneakyChef uses baits that are digital copies of government agencies.” The majority of these documents are related to the Ministries of Foreign Affairs or embassies of various countries.

The activities associated with the hacking squad were brought to light for the first time by the cybersecurity company in late November 2023. This was in conjunction with an attack campaign that targeted South Korea and Uzbekistan using a customized form of the Gh0st RAT known as SugarGh0st.

SpiceRAT and SugarGh0st

In a subsequent investigation that was conducted by Proofpoint a month ago, it was discovered that SugarGh0st RAT was used against organizations in the United States that were engaged in artificial intelligence research. These organizations included those in the academic world, private sector, and government services. Under the name UNK_SweetSpecter, it is monitoring the cluster that is being tracked.

At this point, it is important to point out that SneakyChef is referring to the same campaign that Palo Alto Networks Unit 42 has referred to as Operation Diplomatic Specter. As far as the security provider is concerned, the activity has been going on since at least the latter half of 2022, and it has been targeting governmental institutions in the Middle East, Africa, and Asia.

According to Talos, it recently noticed the same malware being employed to probably target different government departments across Angola, India, Latvia, Saudi Arabia, and Turkmenistan. This is based on the lure documents that were used in the spear-phishing campaigns, which indicates that the scope of the countries targeted has expanded.

SpiceRAT and SugarGh0st

The new wave has been discovered to use a self-extracting RAR archive (SFX) as an initial transmission vector to launch a Visual Basic Script (VBS) that eventually carries out the malicious software via the help of a loader while simultaneously displaying the decoy file. This is in addition to the fact that the new wave uses assault chains that make utilization of Windows Shortcut (LNK) files that are embedded within RAR archives in order to deliver SugarGh0st.

Neytralny Turkmenistan is a Russian-language newspaper in Turkmenistan, and the assaults that were carried out against Angola are significant for a number of reasons, one of which is that they make use of a novel remote access trojan known as SpiceRAT.

SpiceRAT and SugarGh0st

SpiceRAT, on the other hand, makes use of two distinct infection chains in order to spread itself widely. One of these chains makes use of an LNK file that is contained within an RAR archive and exploits DLL side-loading techniques in order to spread the virus.

“When the victim opens the RAR file, it drops the LNK and a secret folder on their machine,” according to the investigation team. “After a victim opens the shortcut file, which posed as a PDF document, it runs a coded command to launch the malicious launcher program from the dropped hidden folder.”


SpiceRAT and SugarGh0st


Following the display of the decoy document to the victim, the launcher proceeds to execute a genuine binary file called “dxcap.exe,” which then sideloads a malicious DLL that is responsible for loading SpiceRAT.

An HTML Application (HTA) is used in the second option, which involves the dropping of a Windows batch script and a Base64-encoded downloader binary. The HTA is responsible for launching the executable by means of a scheduled task that occurs every five minutes.

SpiceRAT and SugarGh0st

Furthermore, the batch script is designed to execute a different genuine executable called “ChromeDriver.exe” at regular intervals of ten minutes. This executable then sideloads a malicious DLL, which in turn loads SpiceRAT. Each of these components, ChromeDriver.exe, the DLL, and the RAT payload, are extracted from a ZIP archive that was downloaded by the downloader binary from a remote server. The ZIP archive contains many components.

In addition, SpiceRAT makes use of the DLL side-loading approach in order to initiate a DLL loader. This loader first records the list of processes that are currently executing in order to determine whether or not it is being debugged, and then it proceeds to execute the main module from memory.

“With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim’s network, paving the way for further attacks,” Talos stated in his statement.

one year cyber security diploma course

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.


The First Million Stolen Records in the Ticketmaster Breach were Released for Free

ARM Security Feature, which Safeguards Against Memory Corruption, can be Bypassed by Intruders

The ONNX Phishing Service is Designed to Target Microsoft 365 Accounts at Financial Institutions

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?