A newly identified threat actor, dubbed SneakyChef, has expanded its operations across Europe, the Middle East, and Asia, targeting government ministries and high-value diplomatic targets of Angola, Turkmenistan, Kazakhstan, India, Saudi Arabia, and Latvia with SugarGh0st malware.
First detected in August 2023, the SneakyChef campaign has rapidly evolved from its initial focus on South Korea and Uzbekistan. Researchers’ investigations revealed that the group only targets high-profile government targets.
SneakyChef’s tactics involve highly sophisticated phishing campaigns utilising meticulously crafted lures. These lures, masquerading as scanned government documents, often contain information not readily available to the public, suggesting a concerning level of intelligence gathering or potential insider access.
Cybersecurity experts found the following government entities targeted by SneakyChef:
- Angola: Ministry of Foreign Affairs, Ministry of Fisheries and Marine Resources, and Ministry of Agriculture and Forestry.
- Turkmenistan: Ministry of Foreign Affairs
- Kazakhstan: Ministry of Foreign Affairs
- India: Ministry of External Affairs
- Saudi Arabia: Embassy in Abu Dhabi
- Latvia: Ministry of Foreign Affairs
The decoy documents used in these attacks are tailored to each target. For instance, lures targeting Angola included circulars about debt conciliation meetings and legal decrees concerning state assets.
“We found another sample that was likely used to target the Indian Ministry of Foreign Affairs. It has decoy documents, including an Indian passport application form, along with a copy of an Aadhar card, a document that serves as proof of identity in India,” reported researchers from Cisco Talos. “One of the decoy Word documents we observed contained lures related to India-U.S. relations, including a list of events involving interactions between India’s prime minister and the U.S. president.”
In a notable development, SneakyChef has introduced a new infection vector alongside its previously observed techniques. The group is not utilising self-extracting (SFX) RAR files to deliver the SugerGh0st Remote Access Trojan (RAT). This new method works as follows:
- The victim executes the SFX RAR file.
- The SFX script drops a decoy document, DLL loader, encrypted SugarGh0st payload, and a malicious VBScript into the user’s temporary folder.
- The VBScript establishes persistence through registry manipulation, ensuring the malware activities upon user login.
- The malicious payload is decrypted and injected into a running process upon system login.
This sophisticated approach demonstrates SneakyChef’s ongoing efforts to evade detection and maintain longevity on compromised systems.
Despite public disclosure of their activities in November 2023, SneakyChef has shown remarkable resilience. The group continues to utilise previously identified command-and-control (C2) infrastructure, including the domain account[.]drive-google-com[.]tk. Researchers found that this domain link was active until mid-May 2024.
Additionally, researchers have observed a new C2 domain, account[.]gommask[.]online, created in March 2024 and active through at least April 21.
While government agencies remain a primary focus, recent reports suggest SneakyChef is broadening its scope. The group has reportedly targeted organisations in the United States involved in artificial intelligence research, spanning academia, the private technology sector, and government services.
Upon further investigation, researchers found lures related to various research conferences, including those focused on political science and international relations. This diversification target indicates a potential expansion of SneakyChef’s intelligence-gathering priorities beyond purely government affairs.
Researchers assess with medium confidence that SneakyChef operators are likely Chinese-speaking based on the language preferences in malware samples, the use of variants of Gh0st RAT, a popular tool among Chinese-speaking threat actors, and the specific nature of targets, particularly the focus on various countries’ ministries of foreign affairs.
Additionally, researchers have identified another RAT, ‘SpiceRAT,’ used in conjunction with the SugarGh0st campaign, further expanding the group’s arsenal.
Cybersecurity researchers have recommended that governments implement robust email filtering and security awareness training, regularly update and patch all systems to mitigate known vulnerabilities, deploy advanced endpoint protection solutions, conduct regular security audits, and enhance network traffic monitoring to counter SneakyChef.
In the News: CDK Global cyberattack followed up with fake calls from hackers