Government ministries around the world continue to fall victim to cyber-espionage attacks, the latest of which is linked to a Chinese-language advanced persistent threat (APT) group dubbed “SneakyChef.” This group has been leveraging a modified version of the Gh0st RAT, known as “SugarGh0st RAT,” to infiltrate and spy on various foreign ministries across the eastern hemisphere.
The Emergence of SneakyChef
The first signs of SneakyChef’s activities date back to late August of last year. Initially, the group targeted South Korea and the Ministry of Foreign Affairs in Uzbekistan using the SugarGh0st RAT. According to a new blog post by Cisco Talos, SneakyChef has since expanded its operations to other countries, focusing on ministries of foreign affairs and other government bodies.
Targets of the Campaign
The campaign’s likely targets, based on the lure documents analyzed, include:
- Ministries of Foreign Affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan
- Ministries of agriculture and forestry, and fisheries and marine resources in Angola
- The Saudi Arabian embassy in Abu Dhabi
Despite the Chinese language preferences present in SneakyChef’s code and the use of SugarGh0st RAT—typically associated with Chinese threat actors—Talos has not attributed the group to any specific government.
SneakyChef’s Evolving Tactics
In its early campaigns, SneakyChef utilized malicious RAR files embedded in LNK files for initial infections. Recently, the group has shifted to using self-extracting RAR files (SFX RAR), which offer a significant advantage. Nick Biasani, head of outreach at Cisco Talos, explains, “RAR files just got official support in Windows 11, so for anything prior to Windows 11, you need to have extra software to extract the file. A self-extracting RAR file eliminates the need for extra software, increasing the likelihood of infection.”
The SFX RAR files dropped by SneakyChef typically contain:
- A decoy document related to the targeted ministry or embassy
- A dynamic link library (DLL) loader
- Encrypted malware (either SugarGh0st RAT or SneakyChef’s latest tool, SpiceRAT)
- A malicious Visual Basic (VB) script for establishing persistence
The decoy documents are legitimate, scanned documents related to government business, often describing upcoming meetings or conferences. Notably, Talos could not find any of these documents on the open web, suggesting they were obtained through espionage.
The Nature of Government Cyberespionage
Biasani notes that the tactics employed by SneakyChef are characteristic of a “first wave” of cyber-espionage attacks. “This actor is not typically highly sophisticated. They aim to send a lot of lures and get many people infected to gain initial footholds and start gathering data.” When they need access to more secure government bodies, more sophisticated elements of the attacks come into play.
The SneakyChef APT group’s use of SugarGh0st RAT highlights the evolving landscape of cyber threats faced by government entities worldwide. Their ability to adapt their methods and employ sophisticated social engineering tactics underscores the need for continual vigilance and robust cybersecurity measures. As cyber-espionage threats become more pervasive, governments and organizations must remain proactive in their defence strategies to safeguard sensitive information and maintain the integrity of their operations.