“SneakyChef” targets Government entities with SugarGh0st malware
A recently discovered Chinese-speaking threat actor, codenamed SneakyChef, has been conducting an espionage campaign primarily targeting government entities across Asia, Europe, the Middle East, and Africa (EMEA) using the SugarGh0st malware since at least August 2023.
Researchers from Cisco Talos identified SneakyChef’s use of malicious documents that appear to be scanned government documents, often linked to Ministries of Foreign Affairs or embassies.
The group’s activities were first noted in November 2023, targeting South Korea and Uzbekistan with a tailored variant of Gh0st RAT called SugarGh0st. Proofpoint later found SugarGh0st being used against U.S. organizations involved in artificial intelligence, including those in academia, private industry, and government service, tracking this cluster as UNK_SweetSpecter.
Further investigations by Talos revealed that the same malware was being used to target government entities in Angola, India, Latvia, Saudi Arabia, and Turkmenistan, suggesting an expanded target scope. SneakyChef’s attack techniques include using Windows Shortcut (LNK) files embedded within RAR archives and self-extracting RAR archives (SFX) that launch Visual Basic Scripts (VBS) to execute the malware while displaying decoy files.
Additionally, attacks in Angola have introduced a new remote access trojan called SpiceRAT, using lures from the Russian-language newspaper Neytralny Turkmenistan. SpiceRAT uses two infection methods: one involving LNK files in RAR archives and DLL side-loading, and the other using HTML Applications (HTA) that drop batch scripts and downloader binaries. SpiceRAT further increases the attack surface by running executable binaries and arbitrary commands, allowing for more extensive network attacks.
