<— Back

Sweet and Spicy Recipes for Government Agencies by SneakyChef

This presentation is about a malicious campaign operated by a Chinese-speaking threat actor, SneakyChef, targeting government agencies, likely the Ministry of External/ Foreign Affairs or Embassies of various countries since as early as 2023, using SugarGh0st RAT and SpiceRAT.

Talos assesses with high confidence that SneakyChef operators are likely Chinese-speaking based on their language preferences, usage of the variants of Chinese’s popular malware of choice, Gh0st RAT, and the specific targets, which include the Ministry of External Affairs of various countries and other government entities with the motive of Espionage and data theft. Their notable TTPs include Spear-Phishing campaigns, DLL Side-Loading, custom c2 communication protocol, and abusing legitimate applications.

SneakyChef has used various techniques in this campaign with multi-staged attack chains to deliver the payload SugarGh0st and SpiceRAT. Throughout this presentation, I will discuss various attach-chains and the techniques the threat actor has employed to establish persistence, evade the detections, and implant the RATs successfully.

SugarGh0st RAT infection chains:

We discovered and analyzed three different attack chains in this campaign that delivered the SugarGh0st RAT.

The first infection chain starts with a malicious RAR file containing a Windows Shortcut file with a double extension. When a victim opens the shortcut file, it runs a command to drop and execute an embedded JavaScript file. The JavaScript eventually drops a decoy, an encrypted SugarGh0st payload, a DLL loader, and a batch script. Then, the JavaScript executes the batch script to run the dropped DLL loader by sideloading it with a copied rundll32. The DLL loader will decrypt the encrypted SugarGh0st payload in memory and run it reflectively.

Like the first infection chain, the second attack starts with a RAR archive file containing a malicious Windows Shortcut file forged as the decoy document. The Windows shortcut file, by executing the embedded commands, drops the JavaScript dropper file into the %TEMP% location and executes it with cscript. The JavaScript drops a decoy document, a legitimate DynamicWrapperX DLL, and the encrypted SugarGh0st in this attack. The JavaScript uses the legitimate DLL to enable the embedded shellcode to run the SugarGh0st payload.

The third attack chain is slightly different than the two. Here, the threat actor uses an SFX RAR as the initial vector for this attack. When a victim runs the executable, the SFX script executes to drop a decoy document, DLL loader, encrypted SugarGh0st, and a malicious VB script into the victim’s user profile temporary folder and executes the malicious VB script. The malicious VB script establishes persistence by writing the command to the registry key “UserInitMprLogonScript,” which executes when a local workgroup or domain user logs into the system. When a user logs into the system, the command runs and launches the loader DLL using regsvr32.exe. The loader reads the encrypted SugarGg0st RAT, decrypts it and injects it into a process.

SpiceRAT infection chains:

In another set of attacks of this campaign, we discovered two other types of attack chains where the actor SneakyChef was implanting a new RAT we dubbed SpiceRAT. The infection chain involves multiple stages launched by an HTA or the LNK file.

The LNK-based infection chain begins with a malicious RAR file containing a Windows shortcut (LNK) and a hidden folder. This folder contains multiple components: a malicious executable launcher, a legitimate executable, a malicious DLL loader, an encrypted SpiceRAT masquerading as a legitimate help file (.HLP), and a decoy PDF document. When the victim extracts the RAR file, the LNK, and a hidden folder are dropped from their machine. Upon a victim opening the shortcut file, which masqueraded as a PDF document, it executes an embedded command to run the malicious launcher executable from the dropped hidden folder. This malicious launcher executable is a 32-bit binary compiled on Jan 2nd, 2024. When launched by the shortcut file, it reads the victim machine’s environment variable, the execution path of the legitimate executable, and the path of the decoy PDF document and runs them using the API ShellExecuteW. The legitimate file is one of the components of the SpiceRAT infection, which will side-load the malicious DLL loader to decrypt and launch the SpiceRAT payload.

The HTA-based infection chain begins with an RAR archive delivered via spear-phishing email. The RAR file contains a malicious HTA file. When the victim runs the malicious HTA file, the embedded malicious Visual Basic script runs and executes and drops the embedded base64 encoded downloader binary and a malicious batch script into the victim machine’s applications temporary folder. The batch script decodes and runs a malicious downloader that downloads and unpacks the components of the SpiceRAT, including a legitimate executable, malicious DLL, and an encrypted file. The batch script configures a Windows task that runs the legitimate executable, which side-loads the malicious DLL. The malicious DLL decrypts and runs the SpiceRAT reflectively. The SpiceRAT further downloads the plugin and implants it on the victim’s machine as a further-on-payload.

After explaining the attack chains, I will discuss the SugarGh0st RAT and the SpiceRAT functionalities. I will also share insights about our discovery of the RAT’s unique command and control communication patterns.

Finally, I will share the indications of SneakyChef’s origin as a Chinese-speaking actor and the attribution of the SugarGh0st and SpiceRAT attacks to them.