SneakyChef | |
Location | China |
Date of initial activity | 2023 |
Suspected Attribution | Cybercriminals |
Motivation | Data Theft |
Associated Tools | SugarGh0st RAT SFX RAR Files VBScript Command and Control (C2) Domains |
Software | Servers |
Overview
In the ever-evolving landscape of cyber threats, the emergence of new and sophisticated threat actors continues to challenge organizations worldwide. Among these, SneakyChef has risen to prominence as a particularly formidable player in the realm of cyber espionage. Identified by Cisco Talos in August 2023, SneakyChef is a threat actor known for its targeted and methodical approach to infiltrating sensitive government agencies and institutions. Their activities have been marked by the use of advanced malware and carefully crafted deceptive lures, reflecting a high level of sophistication and strategic planning.
SneakyChef’s primary tool of choice is the SugarGh0st Remote Access Trojan (RAT), a versatile and powerful piece of malware that allows them to maintain control over compromised systems. Their infection strategies involve deploying malicious Self-Extracting RAR (SFX) files that, once executed, initiate a series of actions to establish persistence and deliver additional payloads. This method not only facilitates initial access but also ensures long-term control over the infected machines. The group’s ability to adapt and evolve their techniques is evident from their use of multiple RAT variants and the continuous refinement of their infection chains.
Common Targets
- Uzbekistan
- South Korea
- India
- Saudi Arabia
- Angola
- Kazhakstan
- Latvia
- Public Administration
- Information
Attack vectors
Phishing
How they work
At the core of SneakyChef’s attack strategy is the use of the SugarGh0st RAT (Remote Access Trojan), which has become a hallmark of their operations. The group utilizes various infection techniques to deliver this RAT, with one notable method involving SFX RAR (Self-Extracting RAR) files. These files, when executed, deploy a series of malicious components onto the victim’s system. The SFX RAR acts as a wrapper that contains a decoy document, a DLL loader, an encrypted version of SugarGh0st, and a malicious VBScript. Upon execution, the VBScript is responsible for setting up persistence and executing the loader.
The persistence mechanism employed by SneakyChef involves manipulating the Windows registry. Specifically, the threat actor writes a command to the UserInitMprLogonScript registry key, which ensures that the malicious DLL is executed every time a user logs into the system. This technique leverages the regsvr32.exe utility to load the DLL silently, facilitating the stealthy operation of the SugarGh0st RAT. Once activated, the RAT decrypts and injects itself into a running process, enabling SneakyChef to maintain control over the compromised system.
In addition to SugarGh0st, SneakyChef has been observed using another RAT known as SpiceRAT. The dual deployment of RATs suggests a strategic approach to maximize the likelihood of successful infiltration and data exfiltration. The group’s malware arsenal also includes various obfuscation techniques to evade detection. The encrypted payloads and obfuscated communication protocols help to avoid triggering security alerts and detection mechanisms.
The decoy documents used by SneakyChef are meticulously crafted to mimic official government communications, further enhancing the effectiveness of their phishing campaigns. These documents, often impersonating ministries or embassies, serve as bait to lure targets into executing the malicious payloads. The choice of lures reflects the group’s focus on high-value targets across EMEA and Asia, including government agencies and diplomatic missions.
The infrastructure behind SneakyChef’s operations includes a network of command and control (C2) domains. The group has been observed using both old and new C2 domains to maintain communication with their malware. Domains such as account[.]drive-google-com[.]tk and account[.]gommask[.]online have been linked to the group’s activities, demonstrating their ability to adapt and persist despite security disclosures.
MITRE Tactics and Techniques
Initial Access (TA0001):
Phishing (T1566): SneakyChef uses phishing emails with malicious attachments, such as SFX RAR files containing SugarGh0st RAT, to gain initial access to victim systems.
Execution (TA0002):
Scripting (T1059): The group employs malicious VBScript to execute payloads and establish persistence on compromised systems.
Persistence (TA0003):
Registry Run Keys / Startup Folder (T1547.001): SneakyChef uses VBScript to modify the Windows registry (specifically, UserInitMprLogonScript), ensuring their malware is executed upon system login.
Privilege Escalation (TA0004):
Exploitation for Client Execution (T1203): By exploiting vulnerabilities in document viewing software, SneakyChef may escalate privileges on targeted systems.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): The use of encrypted payloads and obfuscation techniques helps SneakyChef evade detection by security solutions.
Credential Access (TA0006):
Input Capture (T1056): Through SugarGh0st, the group captures keystrokes to collect sensitive information, including credentials.
Discovery (TA0007):
System Information Discovery (T1082): SneakyChef gathers system information to identify valuable targets and further tailor their attack.
Lateral Movement (TA0008):
Remote Services (T1021): The RAT’s capabilities allow SneakyChef to move laterally across networks by exploiting remote services.
Collection (TA0009):
Data from Local System (T1005): The group exfiltrates files and data from compromised systems to achieve their espionage goals.
Command and Control (TA0011):
Application Layer Protocol (T1071): SneakyChef uses C2 domains to communicate with and control compromised systems, typically via standard web protocols to avoid detection.
Exfiltration (TA0010):
Exfiltration Over Command and Control Channel (T1041): Data collected from infected systems is sent to the threat actor’s command and control infrastructure over the same channels used for C2 communication.
Impact (TA0009):
Data Manipulation (T1565): The group may manipulate data on the compromised systems to disrupt operations or alter information.