Gh0st RAT Variant Targeting Uzbek and South Korean UsersSugarGh0st Malware Customized by Hackers to Defeat Signature-Based Detection
Suspected Chinese threat actors targeted several South Korean entities and the Uzbekistan Ministry of Foreign Affairs using a variant of the Gh0st RAT malware to gather intelligence.
Researchers at Cisco Talos said threat actors having been using the Gh0st RAT variant, dubbed SugarGh0st, since at least August and likely used phishing emails to deliver the remote access Trojan into targeted machines.
SugarGh0st shares many similarities with Gh0st RAT malware, which has been in use since at least 2008. A Chinese group called C.Rufus Security Team released the malware's source code that year, and Chinese threat groups have since used the malware and its variants repeatedly for reconnaissance or intelligence-gathering activities.
Researchers at Proofpoint in September observed financially motivated Chinese-speaking threat actors using a Gh0st RAT variant, dubbed Sainbox, to target compatriots and remotely control their computers (see: Financially Motivated Hacks by Chinese-Speaking Actors Surge).
Hackers can use Gh0st RAT to remotely control infected machines, log keystrokes, take screenshots, access webcams and microphones, reboot machines, start or terminate system processes and erase log files to prevent analysis.
According to Talos researchers, SugarGh0st features additional capabilities that enable it to look for specific registry keys, load library files with specific file extensions and respond to customized commands from the command-and-control server.
The variant can defeat signature-based detection tools by using a modified communication protocol with the C2 server and reserving 8 bytes of the network packet header as magic bytes instead of 5 bytes in known Gh0st RAT variants.
Cisco Talos believes a Chinese-speaking threat actor orchestrated the SugarGh0st infection campaign as decoy documents used in the phishing attacks had Chinese names in their "author" and "last modified by" sections. The firm said the targeting of Uzbekistan's foreign ministry also aligns with Chinese intelligence activity abroad.
The threat actor sent a malicious RAR archive file to an employee of the Ministry of Foreign Affairs after embedding the archive with a Windows ShortCut LNK file. When opened, the archive dropped a decoy document that contained text copied from a presidential decree on enhancing state administration in technical regulation.
Unknown to the victim, the malicious file also dropped the SugarGh0st malware which, when executed, immediately attempted to connect to the command-and-control server. Once it establishes a connection, the malware sends an 8-byte "heartbeat that contains information about the host machine such as the device name, operating system version, root and drive information, registry key, Windows version number and the Root drive's volume serial number."
"SugarGh0st is a fully functional backdoor that can execute most remote control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell," said Talos researchers Ashley Shen and Chetan Raghuprasad in a blog post. "It can also manage the machine's service manager by accessing the configuration files of the running services and can start, terminate or delete the services."
The threat actor also ran a similar campaign to target South Korean users, using decoy documents with content copied from a blockchain-focused Korean news outlet and equipment repair guides.
This is not the first time that security researchers have attributed cyberattacks on Uzbek authorities to Chinese-speaking threat actors. Check Point in October blamed a Chinese advanced persistence threat group named ToddyCat for a string of cyberespionage attacks targeting telecommunication companies and government organizations, primarily in Kazakhstan, Uzbekistan, Pakistan and Vietnam (see: ToddyCat APT Spying on Asian Governments and Telecoms).