China-linked espionage malware targets diplomatic circles

/in


Researchers at one of the largest commercial threat intelligence teams globally, Cisco Talos, have uncovered a sophisticated cyber-espionage operation targeting global diplomatic circles.

The group, dubbed “SneakyChef,” has been found to target ministries of foreign affairs and embassies spanning Africa, and Europe. Their modus operandi involves deploying “SugarGh0st,” a customized version of Gh0st RAT— a malware that has been around for over 15 years.

This remote access trojan gives the attackers unprecedented access to victim systems, allowing them to snatch sensitive diplomatic communications and intelligence. Gh0st RAT has been a popular tool of choice for state-sponsored cyber attacks.

While Cisco Talos researchers discovered SugarGh0st’s activity as early as August 2023 while observing targets in South Korea and Uzbekistan, the operation has since expanded.

Deceptive tactics

SneakyChef makes use of documents, especially scanned files that appear ordinary at first glance, to deliver their malicious payload. Additionally, the group has also been observed using fake conference registration forms and research paper abstracts as attack vectors.

“Most of the decoy documents we found in this campaign are scanned documents of government agencies, which do not appear to be available on the internet,” noted Cisco Talos in a blog post.

Among these documents were an Indian passport application form, a list of events involving interactions between the US president and India’s prime minister, and a circular impersonating the Embassy of Lithuania.

The SugarGh0st malware, by itself, is an evolution of the Gh0st RAT framework. The researchers highlight that the malware provided hackers with enhanced reconnaissance capabilities, including the ability to search for specific keys and file extensions.

Additionally, the evolved malware grants hackers more targeted data exfiltration capabilities while evading conventional security measures.

Once it finds its way into a victim machine, SugarGh0st collects details about the machine, including hostname, filesystem structure, and operating system information. Remarkably, the malware can even capture…

Source…