Hackers use Remote Access Trojans (RATs) to gain unauthorized access and control over a victim’s computer remotely.
RATs allow threat actors to execute the following malicious actions while remaining hidden from the victim:-
- Stealing sensitive information
- Monitoring activities
- Deploying additional malware
Recently, cybersecurity researchers at Cisco Talos discovered a malicious campaign that was found to be delivering a new RAT that’s been dubbed “SugarGh0st.”
Security analysts also affirmed that this new malicious campaign has been active since early August 2023.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
SugarGh0st RAT via Windows Shortcut
Besides this, the distribution of this new SugarGh0st RAT is done by the threat actors via malicious Windows Shortcut and JavaScript.
In this campaign, Talos researchers identified four samples targeting users in the following two countries primarily:-
The samples include an archive with a Windows ShortCut LNK file, delivering a decoy document related to a presidential decree in Uzbekistan.
The lure content matches Uzbek sources from 2021. The likely initial vector is a phishing email with a malicious RAR archive sent to a Ministry of Foreign Affairs employee.
Targets extend to South Korea alongside Uzbekistan, evidenced by three Korean-language decoy documents dropped via a malicious JavaScript file in a Windows Shortcut. Documents mimic a Microsoft account notification, leverage blockchain news content, and provide computer maintenance instructions.
C2 domain requests from South Korean IPs further affirm the focus. Artifacts hint at a Chinese-speaking actor, with decoy files showing names in Simplified Chinese.
The actor’s preference for SugarGh0st, a Gh0st RAT variant, aligns with Chinese threat actor practices, which have been known since 2008. Chinese actors historically target Uzbekistan, supporting the current campaign’s alignment with the Ministry of Foreign Affairs.
SugarGh0st, a customized Gh0st RAT variant, can be traced back to the Chinese C.Rufus Security Team’s 2008 release. Gh0st RAT’s public source code availability led to numerous variants favored by Chinese-speaking actors for surveillance.
SugarGh0st enhances reconnaissance, seeking specific ODBC registry keys and modifying the C2 communication protocol.
It adapts features for remote administration and evading detection and aligns with Gh0st RAT’s capabilities, including:-
- Remote control
- Keylogging
- Webcam access
- Running arbitrary binaries
Malicious RAR with Windows Shortcut triggers JavaScript and then drops the following elements:-
- Encrypted SugarGh0st payload
- DLL loader
- Batch script
Then it executes the batch script via sideloaded rundll32 and decrypts the payload to run reflectively.
In the second infection chain, RAR holds malicious Windows shortcuts, executes commands to drop JavaScript dropper in %TEMP%, and runs with cscript. Then, in the later part, the JavaScript drops:-
- Decoy
- DynamicWrapperX DLL
- Encrypted SugarGh0st
While the legitimate DLL enables the shellcode for the SugarGh0st payload.
Using the hardcoded domain and port, the SugarGh0st connects to C2 via the “WSAStartup” functions. Here below, we have mentioned two C2 domains found:-
- login[.]drive-google-com[.]tk
- account[.]drive-google-com[.]tk
Functionalities of SugarGh0st
Here below, we have mentioned the functionalities of SugarGh0st:-
- Gathers computer name.
- Gathers operating system version.
- Gathers root and other drive information of victim machine.
- Gathers registry key “HKEY_LOCAL_MACHINESoftwareODBCH” if exists.
- Gathers Windows version number.
- Gathers root drive’s volume serial number.
- Access the victim’s machine camera.
- It can search, copy, move, and delete the files.
- Compress the captured data.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.