Sneaky Chef APT from China Spies on Government Ministries

Sneaky Chef Spyware Campaign

• June 21, 2024

  DarkReading reports on SneakyChef APT and cyber-espionage attacks and Cisco Talos release their findings on government agencies targeted with SugarGh0st and more infection techniques.

• February,2024

  Kazakhstan government discloses details of the SugarGh0st campaign.

• November,2023

  Cisco Talos exposed this campaign, identifying two infection paths involving a malicious RAR file paired with an LNK file, often distributed through phishing emails.

• August 2023

  SugarGh0st RAT campaign surfaces, targeting South Korea as well as the Ministry of Foreign Affairs in Uzbekistan.

Cisco Talos recently uncovered an ongoing campaign by SneakyChef, a newly identified threat actor deploying the SugarGh0st malware since at least August 2023. SneakyChef uses lures that appear to be scanned documents from government agencies, predominantly related to Ministries of Foreign Affairs or embassies of various countries. It is suspected that this is part of China’s continuous harassment of diplomats.

Threat actors employ legitimate decoy documents for phishing, typically sourced from scanned documents related to the targeted ministry or embassy. These documents often detail government activities such as upcoming meetings or conferences. Interestingly, Cisco Talos can’t find these documents on the open web in recent campaigns, indicating they may have been acquired through espionage.

Based on the lure documents, likely targets of the campaign have included:

• Ministries of Foreign Affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan.
• Ministries of Agriculture and Forestry, and Fisheries and Marine Resources in Angola
• The Saudi Arabian Embassy in Abu Dhabi.

The above was one of the decoy documents employed in these attacks, likely aimed at Central Asian countries, masquerading as official communications from either the Ministry of Foreign Affairs of Turkmenistan or Kazakhstan. One lure involved a fabricated invitation to a meeting organized by the Turkmenistan embassy in Argentina, purportedly with the heads of transportation and infrastructure of the Italian Republic. Another document simulated a report outlining planned events and the government’s list of priorities for 2024, including a formal proclamation-signing event between the Ministries of Defense of Uzbekistan and Kazakhstan.

In addition to the government-themed decoy document samples, Talos observed a variety of other decoys from these campaigns. These included an application form to register for a conference run by the Universal Research Cluster (URC) and a research paper abstract for the ICCSE international conference. Other decoys related to conference invitations and details, including those for the Political Science and International Relations conference.

Recently, Proofpoint researchers reported a SugarGh0st campaign targeting a U.S. organization involved in artificial intelligence across academia, the private technology sector, and government services. This highlights the broader adoption of SugarGh0st RAT in targeting various business sectors.

The language used in the SFX sample from this campaign further supports the hypothesis that the actor is proficient in Chinese. It is to be noted that China continuously harasses diplomats and foreign affairs personnel.

Last year, the U.S. ambassador to Beijing was targeted in a Chinese cyber-attack, as reported by The Guardian. His emails, along with those of Daniel Kritenbrink, the Assistant Secretary of State for East Asia, and many others, were accessed by adversaries. Additionally, last year, China orchestrated the Volt Typhoon campaign in an attempt to infiltrate U.S. critical infrastructure. China’s actions are not limited to the U.S. alone; similar cyber-attacks have been reported globally, targeting various countries’ ministries, embassies, and critical sectors. This ongoing cyber warfare raises significant concerns about the security of sensitive information and the stability of international relations.

The presence and activities of sophisticated malware like SugarGh0st, wielded by threat actor groups such as SneakyChef in their espionage campaigns targeting government entities, carry significant implications across various sectors and stakeholders. Infiltration by malware like SugarGh0st can result in massive data breaches, exposing personal information, confidential communications, and strategic plans. The compromise of government systems can erode public trust, violate privacy rights, and have far-reaching consequences for individuals and institutions. One notable aspect of these attacks is the chain reaction they can trigger. For example, once internal documents are obtained, they can be used as lures to compromise additional targets, creating a cascade of security breaches if not properly contained.

The implications for affected governments include national security threats, as compromised systems can lead to leaks of sensitive information that may jeopardize national security, defense strategies, and international relations. Economically, cyber-attacks can disrupt critical infrastructure and operations, resulting in financial losses and undermining investor confidence.

Diplomatic relations can also suffer due to continuous cyber harassment, leading to a lack of trust between nations and potential geopolitical tensions. Operationally, malware infiltration can disrupt the normal functioning of government services, affecting everything from administrative operations to critical public services. Governments will also face increased cybersecurity costs, necessitating significant investments in training personnel, upgrading systems, and deploying advanced security technologies. Legally and regulatory, breaches of personal and confidential information can lead to legal consequences and necessitate stricter regulatory frameworks to protect sensitive data.

SneakyChef threat actor group employs sophisticated techniques to deploy and execute their SugarGh0st Remote Access Trojan (RAT) for espionage purposes against government agencies. This campaign operates through a series of well-coordinated steps. The initial vector involves the use of Self-Extracting RAR (SFX RAR) files. These malicious SFX RAR files are typically delivered via phishing emails, which contain decoy documents that mimic government or research-related topics to entice the victim into opening them.

Once the victim opens the SFX RAR file, it automatically executes a script designed to drop multiple files into the victim’s system. These include a decoy document, a DLL loader, an encrypted SugarGh0st payload, and a malicious VB script. The decoy document appears legitimate to distract the user, while the DLL loader serves as a loader for the RAT. The encrypted SugarGh0st payload is the main malicious file, designed to evade detection, and the malicious VB script establishes persistence on the system.

Persistence is achieved through registry key manipulation. The malicious VB script writes a command to a specific registry key (UserInitMprLogonScript), which is triggered when a user logs into the system, ensuring the malware is executed at startup. The registry key value is set as follows:

“`
HKCU\Environment\UserInitMprLogonScript regsvr32.exe /s %temp%\update.dll
“`

This command uses regsvr32.exe to load and execute the update.dll file. The update.dll file then decrypts the authz.lib file, which contains the encrypted SugarGh0st RAT. The decrypted RAT is injected into a legitimate process to maintain stealth and continue communication with the Command and Control (C2) server. The malware communicates with C2 domains to receive commands and exfiltrate data. SneakyChef has been observed using several C2 domains, such as:

• account[.]drive-google-com[.]tk
• account[.]gommask[.]online

These domains help the malware to stay connected with the C2 server, allowing the threat actors to issue commands and retrieve sensitive information from the infected systems. This continuous communication is critical for the success of the espionage campaign, enabling SneakyChef to maintain control over compromised systems and extract valuable data without detection.

While SneakyChef focuses on targeting Western diplomats and Ministries of External Affairs (MEA) of various countries on behalf of China, simultaneously, Russia’s Nobelium intrusion group, known as Midnight Blizzard, is also engaging in phishing attacks. Their primary targets include Western diplomats, particularly French diplomats. Both groups employ similar phishing tactics to infiltrate sensitive government networks and compromise diplomatic communications and strategic information.

If a phishing attack successfully infects a system, immediate remediation steps are crucial to mitigate further damage and safeguard against future incidents. Firstly, isolate the infected systems from the network to contain the spread of malware. Use reputable antivirus or anti-malware software to thoroughly scan and remove malicious files identified during the attack. Restore affected systems and files from secure backups made before the incident to ensure data integrity. Immediately apply security patches and updates to close vulnerabilities exploited in the attack. Reset passwords for compromised accounts and enforce multi-factor authentication (MFA) to bolster account security.

Educate users through ongoing phishing awareness training, emphasizing the identification of suspicious emails and attachments. Implement advanced email filtering solutions and endpoint protection with behavior-based detection to preemptively block phishing attempts. Regular security audits and incident response drills help maintain readiness against future threats, ensuring robust defense mechanisms are in place to safeguard sensitive information and uphold organizational security standards.

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing, and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know Your Risk. Contact BreachLock today!