Suspected China-based hackers target Uzbekistan gov’t and South Koreans, Cisco says

Hackers believed to be based in China are targeting the Uzbekistan Ministry of Foreign Affairs, as well as people in South Korea, with a strain of malware called SugarGh0st, according to a new report.

Cisco published a blog on Thursday spotlighting the malware — which they believe is a variant of Gh0st RAT, an infamous tool used for more than a decade by a range of advanced persistent threat (APT) groups in attacks on diplomatic, political, economic, and military targets around the world.

In the latest campaign identified by Cisco Talos researchers, aChinese-speaking threat actor began attacking targets in August.

The researchers said they discovered four samples deployed as part of the campaign, including one sent to users in Uzbekistan’s Ministry of Foreign Affairs. Once opened, the sample drops a decoy document purporting to be about an investment project with content about a presidential decree about technical regulation.

The decoy document used content published in multiple Uzbekistan sources in 2021 as a lure to get people to open it, and the researchers believe the initial attack vector involved a phishing email with a malicious RAR file attached.

The researchers found three more documents used as decoys that were written in Korean.

They believe the hacker behind the campaign is based in China or is Chinese-speaking because two of the decoy files used were last modified by names written in Simplified Chinese.

Cisco Talos added that Chinese threat actors have long used versions of the Gh0st RAT malware for years and have a history of targeting organizations and people in Uzbekistan. Gh0st RAT, according to Cisco Talos, was created by a Chinese group and its source code was released publicly in 2008.

There are now multiple variants of the malware, which are used by Chinese-speaking actors for surveillance and espionage attacks.

SugarGh0st is customized to allow hackers greater reconnaissance capabilities, including the ability to search for specific keys, file extensions and more. It also allows hackers to deliver customized commands and evade detections.

“The remaining features, including taking full remote control of the infected machine, providing real-time and offline keylogging, hooks to the webcam of an infected machine, and downloading and running other arbitrary binaries on the infected host are aligned with the features of earlier Gh0st RAT variants,” they said.

“SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services.”

It can also take screenshots of the victim machine’s current desktop and switch to multiple windows. Cisco Talos researchers found that the malware allows hackers to access the victim’s machine camera to capture the screen and perform various file operations, including searching, copying, moving and deleting the files on the victim’s machine.

Last year, researchers from Symantec said hackers connected to the Chinese military were using a customized version of Gh0st RAT to target an IT service provider operating in multiple Asian countries as well as government agencies and enterprises involved in IT services, aerospace, and electric power industries located in Russia, Georgia and Mongolia.

Other cybersecurity companies saw the malware used last year in a larger campaign by Chinese targeting organizations and governments in Afghanistan, Bhutan, India, Nepal, Pakistan and Sri Lanka.