Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

SugarGh0st (RAT) – Malware

May 20, 2024
Reading Time: 11 mins read
in Malware
SugarGh0st (RAT) – Malware

SugarGh0st

Type of Malware

RAT

Date of initial activity

2023

Country of Origin

Likely China

Targeted Countries

United States, EMEA and Asia

Motivation

Espionage and data theft

Attack Vectors

Spear-Phishing Campaigns

Targeted System

Windows

Tools

DynamicWrapperX

Variants

FatRat
NanoCore
Syrk
Storm Worm
NetTraveler
GhostNet

Type of information Stolen

Government Data
Communication data
Login credentials

Overview

SugarGh0st is a newly discovered Remote Access Trojan (RAT) identified by Cisco Talos, emerging in a targeted campaign that likely began in August 2023. This sophisticated malware, a variant of the well-known Gh0st RAT, has been observed targeting specific entities in Uzbekistan and South Korea. Designed for comprehensive remote control, SugarGh0st allows threat actors to perform a wide range of malicious activities, including real-time keylogging, remote desktop access, and control over webcam feeds. The infection process begins with phishing emails that contain malicious RAR archives. These archives include a Windows Shortcut file embedded with JavaScript. When executed, the JavaScript dropper, heavily obfuscated and containing base64-encoded data, deploys several components on the victim’s machine. This includes an encrypted SugarGh0st payload, a decoy document, a batch script, and a customized DLL loader. The batch script runs the DLL loader, which decrypts and executes the SugarGh0st payload in memory. SugarGh0st is notable for its advanced features compared to its predecessors. It includes customized commands for remote administration, modified communication protocols for C2 server interactions, and enhanced evasion techniques. The RAT can establish persistent connections to its C2 servers, sending periodic heartbeats and gathering detailed system information, such as operating system version and drive details. It also performs actions like keylogging, taking screenshots, manipulating files, and managing system services. Additionally, it can clear system event logs to hide its activities and avoid detection.

Targets

Government entities and private sectors in EMEA and Asia, and organizations involved in artificial intelligence efforts, including those in academia, private industry, and government services in the United States

How they operate

SugarGh0st operates as a sophisticated Remote Access Trojan (RAT) designed to offer attackers comprehensive control over infected systems. It begins its attack by leveraging malicious files distributed through phishing emails. These emails often contain malicious RAR archives, which are designed to trick users into opening them. Once the archive is extracted, it reveals a Windows Shortcut file embedded with JavaScript. When executed, this JavaScript file performs several actions to facilitate the malware’s deployment. The JavaScript is heavily obfuscated to evade detection. It drops a variety of components into the %TEMP% directory, including a decoy document to disguise malicious activity, a batch script, and a customized DLL loader. The loader, named MSADOCG.DLL, is responsible for decrypting and executing the SugarGh0st payload in memory. This process is designed to avoid writing the malware to disk, thereby reducing the risk of detection by traditional antivirus solutions. SugarGh0st employs advanced techniques for maintaining persistence and evading detection. It modifies the Windows registry to establish persistence through the CTFMON.exe entry, ensuring that the malware remains active even after system reboots. The RAT can execute a range of commands remotely, including capturing screenshots, logging keystrokes, and accessing the victim’s webcam. It also performs system-level operations such as starting and stopping services and manipulating files. The malware communicates with its command and control (C2) server using a modified communication protocol. It sends periodic “heartbeat” packets to the C2 server, which include information about the infected machine such as operating system details and drive information. SugarGh0st is also capable of exfiltrating sensitive data, managing files, and conducting various forms of remote control, all while trying to evade detection by clearing system logs and employing encryption techniques to protect its payload and communications.

MITRE tactics and techniques

Initial Access: T1071.001 – Application Layer Protocol: Web Protocols Execution: T1059.001 – Command and Scripting Interpreter: PowerShell Persistence: T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Privilege Escalation: T1068 – Exploitation for Client Execution Defense Evasion: T1070.001 – Indicator Removal on Host: Clear Windows Event Logs Credential Access: T1003.001 – Credential Dumping: LSASS Memory Discovery: T1082 – System Information Discovery Command and Control: T1071.001 – Application Layer Protocol: Web Protocols Exfiltration: T1041 – Exfiltration Over Command and Control Channel Impact: T1486 – Data Encrypted for Impact

Significant Malware Campaigns

SugarGh0st RAT has been involved in several notable attacks, particularly targeting specific sectors and regions: Uzbekistan Ministry of Foreign Affairs: The malware was observed targeting the Uzbekistan Ministry of Foreign Affairs. The attackers used a decoy document related to a presidential decree to lure victims. This attack was part of a broader campaign likely aimed at espionage and data collection from government officials. South Korea: SugarGh0st was also found targeting users in South Korea. The attackers used decoy documents related to Microsoft account security notifications, blockchain news, and computer maintenance. This indicates a focus on compromising sensitive information and potentially conducting espionage or data theft. General Espionage Campaigns: SugarGh0st is associated with campaigns believed to be conducted by Chinese-speaking threat actors. These campaigns have targeted various governmental and organizational entities, leveraging the RAT’s capabilities for surveillance and data exfiltration.
References:
  • Cisco-Talos/IOCs
  • New SugarGh0st RAT targets Uzbekistan government and South Korea
  • Security Brief: Artificial Sweetener: SugarGh0st RAT Used to Target American Artificial Intelligence Experts
  • Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign
  • ‘SneakyChef’ APT Slices Up Foreign Affairs With SugarGh0st
Tags: AsiaCisco TalosEMEAGovernmentMalwareRATRemote Access TrojanSouth KoreaSugarGh0stUnited StatesUzbekistanwebcam
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New Linux Flaws Allow Easy Root Access

Google Fixes GerriScary Supply Chain Flaw

Langflow Flaw Delivers Flodrix DDoS Botnet

Water Curse Group Hits Developers Via GitHub

XDSpy Exploits Windows LNK Zero Day

CISA Warns Of Apple Zero Click Exploit

Subscribe to our newsletter

    Latest Incidents

    Scania Insurance Data Stolen In Partner Hack

    Pro Israel Group Claims $81M Nobitex Hack

    Hacker Sells Data Of 1M Cock.li Users

    Zoomcar Data Breach Hits 8.4 Million Users

    Qilin Gang Leaks Asefa FC Barcelona Data

    Gunra Claims 45TB Hack On Colombia Justice

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial