Cisco Talos researchers have uncovered an ongoing campaign by a threat actor known as SneakyChef, using the SugarGh0st malware since August 2023. The campaign has expanded its targets from South Korea and Uzbekistan to include countries in EMEA and Asia, using lures resembling scanned documents from government agencies. The team discovered a new infection chain using RAR SFX files, with the SFX sample indicating Chinese language preferences. The actor profile for SneakyChef suggests Chinese-speaking operators based on their use of Gh0st RAT variants and specific targets like the Ministry of Foreign Affairs.
The hacker group has used decoy documents posing as government agencies like the Angolan Ministry of Foreign Affairs, the Ministry of Foreign Affairs of Turkmenistan or Kazakhstan, and an official circular from the Kingdom of Saudi Arabia. These decoys included information about meetings, legal decrees, and event planning, attracting interested parties in those specific topics. SneakyChef’s operations have also targeted a US organization focused on artificial intelligence, showcasing the malware’s usage across various business sectors.
Overall, the campaign shows a shift in geographical targets and a focus on government-related decoy documents to lure victims into downloading and executing the SugarGh0st malware. Cisco Talos researchers continue to monitor and analyze SneakyChef’s activities to mitigate potential threats.
Article Source
https://industrialcyber.co/ransomware/cisco-talos-details-diverse-sugargh0st-malware-targets-as-sneakychef-hackers-widen-scope/