SugarGh0st RAT Delivered via Malicious Windows & JavaScript

RATs allow threat actors to execute the following malicious actions while remaining hidden from the victim:-. Recently, cybersecurity researchers at Cisco Talos discovered a malicious campaign that was found to be delivering a new RAT that's been dubbed "SugarGh0st." Security analysts also affirmed that this new malicious campaign has been active since early August 2023. StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices. The distribution of this new SugarGh0st RAT is done by the threat actors via malicious Windows Shortcut and JavaScript. The samples include an archive with a Windows ShortCut LNK file, delivering a decoy document related to a presidential decree in Uzbekistan. The likely initial vector is a phishing email with a malicious RAR archive sent to a Ministry of Foreign Affairs employee. Targets extend to South Korea alongside Uzbekistan, evidenced by three Korean-language decoy documents dropped via a malicious JavaScript file in a Windows Shortcut. Documents mimic a Microsoft account notification, leverage blockchain news content, and provide computer maintenance instructions. Artifacts hint at a Chinese-speaking actor, with decoy files showing names in Simplified Chinese. The actor's preference for SugarGh0st, a Gh0st RAT variant, aligns with Chinese threat actor practices, which have been known since 2008. Chinese actors historically target Uzbekistan, supporting the current campaign's alignment with the Ministry of Foreign Affairs. SugarGh0st, a customized Gh0st RAT variant, can be traced back to the Chinese C.Rufus Security Team's 2008 release. Gh0st RAT's public source code availability led to numerous variants favored by Chinese-speaking actors for surveillance. SugarGh0st enhances reconnaissance, seeking specific ODBC registry keys and modifying the C2 communication protocol. It adapts features for remote administration and evading detection and aligns with Gh0st RAT's capabilities, including:-. Malicious RAR with Windows Shortcut triggers JavaScript and then drops the following elements:-. Then it executes the batch script via sideloaded rundll32 and decrypts the payload to run reflectively. In the second infection chain, RAR holds malicious Windows shortcuts, executes commands to drop JavaScript dropper in %TEMP%, and runs with cscript. While the legitimate DLL enables the shellcode for the SugarGh0st payload. Using the hardcoded domain and port, the SugarGh0st connects to C2 via the "WSAStartup" functions.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 01 Dec 2023 12:10:22 +0000


Cyber News related to SugarGh0st RAT Delivered via Malicious Windows & JavaScript

SugarGh0st RAT Delivered via Malicious Windows & JavaScript - RATs allow threat actors to execute the following malicious actions while remaining hidden from the victim:-. Recently, cybersecurity researchers at Cisco Talos discovered a malicious campaign that was found to be delivering a new RAT that's been ...
11 months ago Cybersecuritynews.com
A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets - A new variant of the infamous "Gh0st RAT" malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan. The Chinese group "C.Rufus Security Team" first released Gh0st RAT on the open Web in ...
11 months ago Darkreading.com
The Persistent Danger of Remcos RAT - From initial infection to persistent control, the Remcos RAT campaign exemplifies the evolving nature of cyber threats and the need for proactive defense measures. This ecosystem is supported by a diverse array of servers that function as command and ...
10 months ago Cyberdefensemagazine.com
Digital Battlefield: Syrian Threat Group's Sinister SilverRAT Emerges - Cyfirma claims that the developers maintain a sophisticated and active presence on multiple hacker forums and social media platforms, as outlined by the cybersecurity company. Besides operating a Telegram channel offering leaked databases, carding ...
9 months ago Cysecurity.news
SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities - The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and ...
11 months ago Thehackernews.com
Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms - Attackers likely tied the creators of the XorDdos Linux remote access Trojan have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected ...
11 months ago Darkreading.com
Silver RAT Evades Anti-viruses to Hack Windows Machines - Hackers use Remote Access Trojans to gain unauthorized access and control over a victim's computer remotely. These malicious tools allow hackers to perform various malicious activities like the following without the user's knowledge:-. Recently, ...
9 months ago Cybersecuritynews.com
FBI Shuts Down Warzone RAT; Cybercriminals Arrested - In a major victory against cybercrime, the FBI has successfully taken down the Warzone RAT malware operation. This operation led to the arrest of two individuals involved in the illicit activities. One of the suspects, 27-year-old Daniel Meli from ...
8 months ago Cysecurity.news
How Stealthy Python Rat Malware is Targeting Windows Systems - Cybersecurity experts have recently alerted Windows users to a new malware threat: a stealthy python-based RAT malware that is specifically targeting Windows systems. The malware, which has been dubbed “Python Rat” by security researchers, has ...
1 year ago Bleepingcomputer.com
'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE - A malicious email campaign is targeting hundreds of Microsoft Office users in US-based organizations to deliver a remote access trojan that evades detection, partially by showing up as legitimate software. Threat actors previously have used the RAT ...
7 months ago Darkreading.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
11 months ago Techrepublic.com
Gh0st rat - Gh0st RAT is a Trojan horse for the Windows platform. The “RAT” part of the name refers to the software’s ability to operate as a "Remote Administration Tool". It is a cyber spying computer program used to control infected Windows computers ...
11 months ago
CVE-2009-3874 - Integer overflow in the JPEGImageReader implementation in the ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary ...
6 years ago
Windows Incident Response: Human Behavior In Digital Forensics, pt II - Targeted Threat ActorI was working a targeted threat actor response, and while we were continuing to collect information for scoping, so we could move to containment, we found that on one day, from one endpoint, the threat actor pushed their RAT ...
10 months ago Windowsir.blogspot.com
Lifehacks for Analyzing Orcus Rat Data in 2023 - As the world of data becomes an increasingly integral part of our lives, it is important to understand how to analyze data from the Orcus Rat. This is because it can provide an even greater understanding of the trends in the market and how companies ...
1 year ago Thehackernews.com
FBI seizes Warzone RAT infrastructure, arrests malware vendor - The FBI dismantled the Warzone RAT malware operation, seizing infrastructure and arresting two individuals associated with the cybercrime operation. Daniel Meli, 27, a resident of Malta, was arrested last week for his role in the proliferation of ...
8 months ago Bleepingcomputer.com
Krasue RAT Malware: A New Threat to Linux Systems - In the field of cybersecurity, a potent and covert threat called Krasue has surfaced. This remote access trojan has been silently infiltrating Linux systems, primarily targeting telecommunications companies since 2021. This blog post will explore ...
10 months ago Securityboulevard.com
AllaKore RAT: Malware Target Mexican Banks and Crypto Platforms - Mexican financial institutions are suffering attacks by a new spear-phishing campaign, spreading a modified version of an open-source remote access trojan named 'AllaKore RAT'. The activity was attributed by the BlackBerry Research and Intelligence ...
9 months ago Cysecurity.news
Hackers Exploiting Microsoft Templates to Execute Malicious Code - This campaign represents a significant evolution in the tactics, techniques, and procedures employed by cybercriminals. They are leveraging social engineering and advanced evasion techniques to deploy malicious code. The attackers meticulously ...
7 months ago Gbhackers.com
See How Our Cloud-Delivered Security Services Provide 357% ROI - Investing in Palo Alto Networks Cloud-Delivered Security Services provided a 357% return on investment and net present value of $10.04 million over 3 years, along with a 6-month payback period, according to a recently released Forrester Consulting ...
7 months ago Paloaltonetworks.com
Unveiling 'Bandook': A Threat that Adapts and Persists - The Bandook malware family, which was thought to be extinct, is back and may be part of a larger operation intended to sell offensive hacking tools to governments and cybercriminal groups to attack them. Several recent research papers have been ...
10 months ago Cysecurity.news
Ukraine Targeted by UAC-0050 Using Remcos RAT Pipe Method - Remcos RAT is a type of Remote Access Trojan used for unauthorized access and control of a computer system. It allows threat actors to perform various malicious activities like:-. Cybersecurity researchers at Uptycs recently discovered that the ...
10 months ago Gbhackers.com
Microsoft No Longer Selling Windows 10 Licenses Redirects to Windows 11 Product Pages - Marking an end to an era, Microsoft is no longer directly selling Windows 10 product keys on their website, instead redirecting users to Windows 11 product pages. This month, Microsoft began displaying an alert on their Windows 10 Home and Pro ...
1 year ago Bleepingcomputer.com
Hackers Gaining Unauthorized Access to Windows Devices Through Silver and BYOVD Exploits - Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed ...
1 year ago Heimdalsecurity.com
Windows 11 24H2 now rolling out, here are the new features - Version 24H2 is now also accessible via Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Microsoft 365 admin center. Microsoft suggests that businesses start targeted rollouts to ensure ...
1 month ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)