SugarGh0st (RAT) – Malware

Overview

SugarGh0st is a newly discovered Remote Access Trojan (RAT) identified by Cisco Talos, emerging in a targeted campaign that likely began in August 2023. This sophisticated malware, a variant of the well-known Gh0st RAT, has been observed targeting specific entities in Uzbekistan and South Korea. Designed for comprehensive remote control, SugarGh0st allows threat actors to perform a wide range of malicious activities, including real-time keylogging, remote desktop access, and control over webcam feeds.

The infection process begins with phishing emails that contain malicious RAR archives. These archives include a Windows Shortcut file embedded with JavaScript. When executed, the JavaScript dropper, heavily obfuscated and containing base64-encoded data, deploys several components on the victim’s machine. This includes an encrypted SugarGh0st payload, a decoy document, a batch script, and a customized DLL loader. The batch script runs the DLL loader, which decrypts and executes the SugarGh0st payload in memory.

SugarGh0st is notable for its advanced features compared to its predecessors. It includes customized commands for remote administration, modified communication protocols for C2 server interactions, and enhanced evasion techniques. The RAT can establish persistent connections to its C2 servers, sending periodic heartbeats and gathering detailed system information, such as operating system version and drive details. It also performs actions like keylogging, taking screenshots, manipulating files, and managing system services. Additionally, it can clear system event logs to hide its activities and avoid detection.

Targets

Government entities and private sectors in EMEA and Asia, and organizations involved in artificial intelligence efforts, including those in academia, private industry, and government services in the United States

How they operate

SugarGh0st operates as a sophisticated Remote Access Trojan (RAT) designed to offer attackers comprehensive control over infected systems. It begins its attack by leveraging malicious files distributed through phishing emails. These emails often contain malicious RAR archives, which are designed to trick users into opening them. Once the archive is extracted, it reveals a Windows Shortcut file embedded with JavaScript. When executed, this JavaScript file performs several actions to facilitate the malware’s deployment.

The JavaScript is heavily obfuscated to evade detection. It drops a variety of components into the %TEMP% directory, including a decoy document to disguise malicious activity, a batch script, and a customized DLL loader. The loader, named MSADOCG.DLL, is responsible for decrypting and executing the SugarGh0st payload in memory. This process is designed to avoid writing the malware to disk, thereby reducing the risk of detection by traditional antivirus solutions.

SugarGh0st employs advanced techniques for maintaining persistence and evading detection. It modifies the Windows registry to establish persistence through the CTFMON.exe entry, ensuring that the malware remains active even after system reboots. The RAT can execute a range of commands remotely, including capturing screenshots, logging keystrokes, and accessing the victim’s webcam. It also performs system-level operations such as starting and stopping services and manipulating files.

The malware communicates with its command and control (C2) server using a modified communication protocol. It sends periodic “heartbeat” packets to the C2 server, which include information about the infected machine such as operating system details and drive information. SugarGh0st is also capable of exfiltrating sensitive data, managing files, and conducting various forms of remote control, all while trying to evade detection by clearing system logs and employing encryption techniques to protect its payload and communications.

MITRE tactics and techniques

Initial Access: T1071.001 – Application Layer Protocol: Web Protocols

Execution: T1059.001 – Command and Scripting Interpreter: PowerShell

Persistence: T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Privilege Escalation: T1068 – Exploitation for Client Execution

Defense Evasion: T1070.001 – Indicator Removal on Host: Clear Windows Event Logs

Credential Access: T1003.001 – Credential Dumping: LSASS Memory

Discovery: T1082 – System Information Discovery

Command and Control: T1071.001 – Application Layer Protocol: Web Protocols

Exfiltration: T1041 – Exfiltration Over Command and Control Channel

Impact: T1486 – Data Encrypted for Impact

Significant Malware Campaigns

SugarGh0st RAT has been involved in several notable attacks, particularly targeting specific sectors and regions:

Uzbekistan Ministry of Foreign Affairs: The malware was observed targeting the Uzbekistan Ministry of Foreign Affairs. The attackers used a decoy document related to a presidential decree to lure victims. This attack was part of a broader campaign likely aimed at espionage and data collection from government officials.

South Korea: SugarGh0st was also found targeting users in South Korea. The attackers used decoy documents related to Microsoft account security notifications, blockchain news, and computer maintenance. This indicates a focus on compromising sensitive information and potentially conducting espionage or data theft.

General Espionage Campaigns: SugarGh0st is associated with campaigns believed to be conducted by Chinese-speaking threat actors. These campaigns have targeted various governmental and organizational entities, leveraging the RAT’s capabilities for surveillance and data exfiltration.

References:

• Cisco-Talos/IOCs
• New SugarGh0st RAT targets Uzbekistan government and South Korea
• Security Brief: Artificial Sweetener: SugarGh0st RAT Used to Target American Artificial Intelligence Experts
• Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign
• ‘SneakyChef’ APT Slices Up Foreign Affairs With SugarGh0st