Hackers believed to be based in China are actively targeting the Uzbekistan Ministry of Foreign Affairs and individuals in South Korea using a strain of malware identified as SugarGh0st, Cisco reported.
Cisco's blog, published on November 30, shed light on the ongoing cyber-espionage campaign, linking the malware to the infamous Gh0st RAT tool, a long-standing weapon in the arsenal of advanced persistent threat (APT) groups globally.
As per researchers from Cisco Talos, the Chinese-speaking threat actor initiated the attacks in August, deploying four samples as part of the campaign. One of these samples was specifically sent to users within Uzbekistan's Ministry of Foreign Affairs. The decoy document, purportedly related to an investment project and featuring content referencing a presidential decree about technical regulation, was used as bait.
The initial attack vector is believed to involve a phishing email containing a malicious RAR file attachment. The decoy document exploited content sourced from various Uzbekistan publications in 2021 to lure recipients into opening the attachment. Additionally, three more decoy documents written in Korean were identified by the researchers.
The campaign's likely origin points to China or a Chinese-speaking actor, as two of the decoy files were last modified by names written in Simplified Chinese. Cisco Talos emphasized that Chinese threat actors have a history of utilizing Gh0st RAT variants and targeting organizations and individuals in Uzbekistan. Gh0st RAT, initially created by a Chinese group, saw its source code publicly released in 2008.
SugarGh0st, being a customized variant, enhances the hackers' reconnaissance capabilities, allowing specific searches for keys, file extensions, and more. It also facilitates the delivery of customized commands while evading detection. The malware encompasses features for full remote control, real-time and offline keylogging, webcam access, and the ability to download and execute arbitrary binaries on the infected host.
"SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive, and operating system information," Cisco Talos researchers explained.
The malware can manage the machine's service manager, take screenshots, access the victim's machine camera, and perform various file operations.
Notably, Chinese threat actors previously employed a customized version of the Gh0st RAT, as reported by Symantec in the past year. These hackers targeted an IT service provider operating across multiple Asian countries, government agencies, and enterprises involved in IT services, aerospace, and electric power industries in Russia, Georgia, and Mongolia.
Last year also witnessed a broader campaign by Chinese actors using Gh0st RAT, targeting organizations and governments in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka, as observed by various cybersecurity firms.
Follow Daryo's official Instagram and Twitter pages to keep current on world news.
Comments (0)