A cyber-espionage operation known as SneakyChef [3], discovered by Cisco Talos in August 2023 [4], has been targeting government entities in various regions using sophisticated malware tools.
Description
This operation [2] [3], codenamed Operation Diplomatic Specter by Palo Alto Networks Unit 42, has been ongoing since late 2022 and focuses on countries such as South Korea, Uzbekistan [1] [2] [5] [6], the US [1] [6], Angola [1] [6], and Turkmenistan [1] [6]. The attackers deploy deceptive tactics [3], using scanned documents [3], fake forms [3], and lures from a Russian-language newspaper as attack vectors. SugarGh0st and SpiceRAT RATs are used to execute remote control and espionage capabilities, with SugarGh0st providing enhanced reconnaissance and data exfiltration capabilities [3]. The malware delivery method involves RAR archives with Windows Shortcut files and self-extracting RAR archives launching Visual Basic Scripts to execute the malware [1] [6]. SpiceRAT [1] [2] [3] [4] [5] [6] [7], a new remote access trojan [1] [6] [7], has been observed in attacks against Angola [1], employing DLL side-loading techniques and downloading components from a remote server [1].
Conclusion
The threat actor group continues to use old and new command and control (C2) domains [4], with recent activity observed until mid-May [4]. Cisco Secure products offer protection against these types of malware attacks [4]. The Chinese-language APT group known as SneakyChef has expanded its operations to target government entities in Angola, India [6], Latvia [6], Saudi Arabia [6], and Turkmenistan [1] [6]. The use of sophisticated malware tools and deceptive tactics highlights the need for enhanced cybersecurity measures to protect against state-sponsored espionage campaigns.
References
[1] https://thehackernews.com/2024/06/chinese-hackers-deploy-spicerat-and.html
[2] https://www.darkreading.com/threat-intelligence/sneakychef-apt-slices-up-foreign-affairs-with-sugargh0st
[3] https://interestingengineering.com/science/sugargh0st-sneakychef-cyberespionage
[4] https://vulners.com/talosblog/TALOSBLOG:54A18A1EE5C35C06D1B58E2F65E13A16
[5] https://blog.talosintelligence.com/sneakychef-sugarghost-rat/
[6] https://www.redpacketsecurity.com/chinese-hackers-deploy-spicerat-and-sugargh0st-in-global-espionage-campaign/
[7] https://duo.com/decipher/espionage-threat-actor-hits-multiple-government-entities