An offshoot of Gh0stRat malware is being used to target institutions in Uzbekistan and South Korea, says Cisco Talos. A cybersecurity analyst suspects that China may be behind it, but can’t be sure.
Cisco Talos believes the new malware strain, which it dubbed SugarGh0st, arose in August and is a remote access trojan (RAT) related to Gh0stRat, an established threat actor that has been on the cyber scene for around a decade.
Uzbekistan’s government is believed to have been targeted by SugarGh0st, as have individual web users in South Korea.
In the latter, decoy documents that were used as lures to attract targets included mimicking the South Korean version of Coindesk, a cryptocurrency news site.
The cybersecurity analyst said it “assesses with low confidence that a Chinese-speaking threat actor is operating this campaign based on the artifacts we found in the attack samples.”
The Uzbek campaign entailed using content purporting to be a presidential decree regarding tech regulation as a lure.
Cisco Talos suggested that it thinks the content itself was originally legitimate, having been “published in multiple Uzbekistan sources in 2021” and that the campaign’s attack vector was likely a phishing email sent to a Ministry of Foreign Affairs employee.
Why Cisco believes China is involved
“During our analysis, we observed a couple of artifacts that suggested the actor might be Chinese-speaking,” added Cisco Talos.
It cited as evidence two of the decoy files used in attacks that were shown as having been last modified by “浅唱丶低吟” (Simplified Chinese for “sing lightly”) and “琴玖辞” (which Cisco Talos believes to be the name of a Chinese novelist).
Cybernews was able to verify the first translation using Google Translate, although the second did not return a perfect match.
Cisco Talos further believes SugarGh0st to be a variant of the older Gh0stRat malware, which it describes as “a mainstay in the Chinese threat actors’ arsenal” that has been active for 15 years.
“Chinese actors also have a history of targeting Uzbekistan,” it added. “The targeting of the Uzbekistan Ministry of Foreign Affairs also aligns with the scope of Chinese intelligence activity abroad.”
Under the hood
A more thorough analysis of SugarGh0st revealed features that allow it to collect a target machine’s operating system data and take remote screenshots of its desktop. It then sends the captured data to a command server controlled by the malware operators, making it ideal for espionage.
“SugarGh0st can perform various file operations, including searching, copying, moving, and deleting the files on the victim’s machine,” added Cisco Talos. “It also clears the machine’s application, security, and system event logs to hide the malicious operations logged to evade detection.”
Cybersecurity specialists can access a detailed breakdown of the Cisco Talos findings here, and a list of compromise indicators associated with SugarGh0st can also be found on the software coding platform GitHub.
More from Cybernews:
Subscribe to our newsletter