SpiceRAT and SugarGh0st Malware Deployed by Chinese Hackers in Global Espionage Campaign Uncovering SneakyChef

A previously unreported Chinese-speaking threat actor, now known as SneakyChef, has been linked to an extensive espionage operation targeting government bodies across Asia, Europe, the Middle East, and Africa (EMEA). This campaign, ongoing since at least August 2023, utilizes the SugarGh0st malware, according to researchers Chetan Raghuprasad and Ashley Shen from Cisco Talos.

SneakyChef employs deceptive tactics by using scanned documents from government agencies, particularly those associated with Ministries of Foreign Affairs or embassies. The cybersecurity company first highlighted these activities in late November 2023, revealing an attack campaign focused on South Korea and Uzbekistan that used a custom variant of Gh0st RAT, named SugarGh0st.

Further analysis by Proofpoint in May 2024 uncovered the deployment of SugarGh0st RAT against U.S. organizations involved in artificial intelligence, spanning academia, private industry, and government sectors. This cluster of activity has been tracked under the name UNK_SweetSpecter.

Notably, the SneakyChef campaign corresponds to what Palo Alto Networks Unit 42 has termed Operation Diplomatic Specter. According to Unit 42, this activity has been ongoing since late 2022, targeting governmental entities in the Middle East, Africa, and Asia. Cisco Talos has since observed that the same malware appears to be focusing on various government entities in Angola, India, Latvia, Saudi Arabia, and Turkmenistan, based on lure documents used in spear-phishing campaigns. This indicates an expanding scope of targeted countries.

The new wave of attacks not only continues to utilize Windows Shortcut (LNK) files embedded within RAR archives to deliver SugarGh0st but also employs self-extracting RAR archives (SFX) as an initial infection vector. This method launches a Visual Basic Script (VBS) that executes the malware via a loader while displaying a decoy file to the victim.

Attacks on Angola are particularly notable for introducing a new remote access trojan, dubbed SpiceRAT. These attacks use lures from "Neytralny Turkmenistan," a Russian-language newspaper in Turkmenistan. SpiceRAT propagates through two different infection chains. One chain uses an LNK file within a RAR archive, deploying the malware through DLL side-loading techniques. Upon extracting the RAR file, a hidden folder and LNK file are dropped on the victim's machine. Opening the LNK file, disguised as a PDF, runs an embedded command that launches a malicious executable from the hidden folder, displays a decoy document, and sideloads a malicious DLL to load SpiceRAT.

The second variant involves an HTML Application (HTA) that drops a Windows batch script and a Base64-encoded downloader binary. The batch script schedules the downloader binary to run every five minutes and another executable, "ChromeDriver.exe," every 10 minutes, which sideloads a rogue DLL that loads SpiceRAT. Each component—ChromeDriver.exe, the DLL, and the RAT payload—is extracted from a ZIP archive retrieved from a remote server.

SpiceRAT employs DLL side-loading techniques to initiate a DLL loader that checks running processes for debugging before executing its main module from memory. With capabilities to download and run executable binaries and arbitrary commands, SpiceRAT significantly broadens the attack surface on the victim's network, paving the way for further intrusions.

Cisco Talos emphasizes the increased risk posed by these sophisticated attack methods, underscoring the importance of vigilant cybersecurity measures to protect against such advanced threats.