RATs allow threat actors to execute the following malicious actions while remaining hidden from the victim:-. Recently, cybersecurity researchers at Cisco Talos discovered a malicious campaign that was found to be delivering a new RAT that's been dubbed "SugarGh0st." Security analysts also affirmed that this new malicious campaign has been active since early August 2023. StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices. The distribution of this new SugarGh0st RAT is done by the threat actors via malicious Windows Shortcut and JavaScript. The samples include an archive with a Windows ShortCut LNK file, delivering a decoy document related to a presidential decree in Uzbekistan. The likely initial vector is a phishing email with a malicious RAR archive sent to a Ministry of Foreign Affairs employee. Targets extend to South Korea alongside Uzbekistan, evidenced by three Korean-language decoy documents dropped via a malicious JavaScript file in a Windows Shortcut. Documents mimic a Microsoft account notification, leverage blockchain news content, and provide computer maintenance instructions. Artifacts hint at a Chinese-speaking actor, with decoy files showing names in Simplified Chinese. The actor's preference for SugarGh0st, a Gh0st RAT variant, aligns with Chinese threat actor practices, which have been known since 2008. Chinese actors historically target Uzbekistan, supporting the current campaign's alignment with the Ministry of Foreign Affairs. SugarGh0st, a customized Gh0st RAT variant, can be traced back to the Chinese C.Rufus Security Team's 2008 release. Gh0st RAT's public source code availability led to numerous variants favored by Chinese-speaking actors for surveillance. SugarGh0st enhances reconnaissance, seeking specific ODBC registry keys and modifying the C2 communication protocol. It adapts features for remote administration and evading detection and aligns with Gh0st RAT's capabilities, including:-. Malicious RAR with Windows Shortcut triggers JavaScript and then drops the following elements:-. Then it executes the batch script via sideloaded rundll32 and decrypts the payload to run reflectively. In the second infection chain, RAR holds malicious Windows shortcuts, executes commands to drop JavaScript dropper in %TEMP%, and runs with cscript. While the legitimate DLL enables the shellcode for the SugarGh0st payload. Using the hardcoded domain and port, the SugarGh0st connects to C2 via the "WSAStartup" functions.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 01 Dec 2023 12:10:22 +0000