Source |
ProofPoint |
Identifiant |
8500792 |
Date de publication |
2024-05-16 12:03:39 (vue: 2024-05-16 09:07:24) |
Titre |
Mémoire de sécurité: édulcorant artificiel: Sugargh0st Rat utilisé pour cibler les experts en intelligence artificielle américaine Security Brief: Artificial Sweetener: SugarGh0st RAT Used to Target American Artificial Intelligence Experts |
Texte |
What happened
Proofpoint recently identified a SugarGh0st RAT campaign targeting organizations in the United States involved in artificial intelligence efforts, including those in academia, private industry, and government service. Proofpoint tracks the cluster responsible for this activity as UNK_SweetSpecter.
SugarGh0st RAT is a remote access trojan, and is a customized variant of Gh0stRAT, an older commodity trojan typically used by Chinese-speaking threat actors. SugarGh0st RAT has been historically used to target users in Central and East Asia, as first reported by Cisco Talos in November 2023.
In the May 2024 campaign, UNK_SweetSpecter used a free email account to send an AI-themed lure enticing the target to open an attached zip archive.
Analyst note: Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been observed enough to receive a numerical TA designation.
Lure email
Following delivery of the zip file, the infection chain mimicked “Infection Chain 2” as reported by Cisco Talos. The attached zip file dropped an LNK shortcut file that deployed a JavaScript dropper. The LNK was nearly identical to the publicly available LNK files from Talos\' research and contained many of the same metadata artifacts and spoofed timestamps in the LNK header. The JavaScript dropper contained a decoy document, an ActiveX tool that was registered then abused for sideloading, and an encrypted binary, all encoded in base64. While the decoy document was displayed to the recipient, the JavaScript dropper installed the library, which was used to run Windows APIs directly from the JavaScript. This allowed subsequent JavaScript to run a multi-stage shellcode derived from DllToShellCode to XOR decrypt, and aplib decompress the SugarGh0st payload. The payload had the same keylogging, command and control (C2) heartbeat protocol, and data exfiltration methods. The main functional differences in the infection chain Proofpoint observed compared to the initial Talos report were a slightly modified registry key name for persistence, CTFM0N.exe, a reduced number of commands the SugarGh0st payload could run, and a different C2 server. The analyzed sample contained the internal version number of 2024.2.
Network analysis
Threat Research analysis demonstrated UNK_SweetSpecter had shifted C2 communications from previously observed domains to account.gommask[.]online. This domain briefly shared hosting on 103.148.245[.]235 with previously reported UNK_SweetSpecter domain account.drive-google-com[.]tk. Our investigation identified 43.242.203[.]115 hosting the new C2 domain. All identified UNK_SweetSpecter infrastructure appears to be hosted on AS142032.
Context
Since SugarGh0st RAT was originally reported in November 2023, Proofpoint has observed only a handful of campaigns. Targeting in these campaigns included a U.S. telecommunications company, an international media organization, and a South Asian government organization. Almost all of the recipient email addresses appeared to be publicly available.
While the campaigns do not leverage technically sophisticated malware or attack chains, Proofpoint\'s telemetry supports the assessment that the identified campaigns are extremely targeted. The May 2024 campaign appeared to target less than 10 individuals, all of whom appear to have a direct connection to a single leading US-based artificial intelligence organization according to open source research.
Attribution
Initial analysis by Cisco Talos suggested SugarGh0st RAT was used by Chinese language operators. Analysis of earlier UNK_SweetSpecter campaigns in Proofpoint visibility confirmed these language artifacts. At this time, Proofpoint does not have any additional intelligence to strengthen this attribution.
While Proofpoint cannot attribute the campaigns with high confidence to a specific state objective, the lure theme specifically referencing an AI too |
Envoyé |
Oui |
Condensat |
08 103 115 115 148 18 2022 2023 2024 203 235 242 245 4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379 71f5ce42714289658200739ce0bbe439f6ef6fe77a5f6757b1cf21200fc59af7 about abused academia access accessing according account across activex activity actor actors additional addresses advanced aligned all allowed almost also american analysis analysis analyst analyzed any apis aplib appear appeared appears archive are artifacts artificial as142032 asia asian assessment attached attack attribute attribution attribution available base64 based baselines been being binary brief: briefly campaign campaigns cannot central chain chains checkin chinese cisco cluster clusters cnc coincides collaboration com command commands commodity communications company compared compromise confidence confirmed connected connection constant contained context control could ctfm0n currently customized cyber da749785033087ca5d47ee65aef2818d4ed81ef217bfd4bc07be2d0bf105b1bf data decompress decoy decrypt defenders define delivery demonstrated demonstrates deployed derived description designation designator developing development differences different direct directly displayed dll dll dlltoshellcode dns document docx does domain domain domains drive dropped dropper earlier east efforts email email emergingthreats encoded encrypted enough enterprise enticing entities establishing even example exclusive exe exfiltration exist experts extremely facing fc779f02a40948568321d7f11b5432676e2be65f037acfed344b36cc3dac16fc feae7b2b79c533a522343ac9e1aa7f8a2cdf38691fbd333537cb15dd2ee9397e file files find first following free from functional further furthering generative gh0strat goals gommask google government had handful happened has hash have header heartbeat herculean high highly historically hosted hosting how identical identified identify included including indicator indicators individuals industry infection information infrastructure initial installed intelligence interest internal international investigation involved ip javascript js key keylogging language leading less leverage libeay32 library like likely limit lnk lnk lookup lure main malicious malware many matters may media metadata methods mimicked model modified monitoring multi name nature near nearly network new non not notable note: november number numerical objective observed observed obtain often older online online only onslaught open operators organization organizations originally other paranoids payload persistence personnel possible previously private problems proofpoint protocol public publicly rat receive recent recently recipient reduced referencing registered registry relying remote report reported research responsible restricted reuters revealing run same sample security seems send server service sha2256 sha256 shared shellcode shifted shortcut sideloading signatures since single slightly sni software some sophisticated source south speaking spearphishing specific specifically spoofed stage state states strengthen subsequent sugargh0st suggested supports sweetener: sweetspecter talos target targeted targeting task team technically technologies telecommunications telemetry than thanks theme themed themselves then these those threat threats time timestamps timing tls tool tools tracks trojan typically underpinning united unk used users uses variant version visibility vulnerabilities what which whom why windows worth xor yahoo zip zip ~235232302 “infection “technical |
Tags |
Malware
Tool
Vulnerability
Threat
|
Stories |
|
Notes |
★★★
|
Move |
|