Suspected China-based hackers target Uzbekistan gov’t, South Koreans, Cisco says

Avatar

Hackers believed to be based in China are targeting the Uzbekistan Ministry of Foreign Affairs, as well as people in South Korea, with a strain of malware called SugarGh0st, according to a new report.

Cisco published a blog on Thursday spotlighting the malware — which they believe is a variant of Gh0st RAT, an infamous tool used for more than a decade by a range of advanced persistent threat (APT) groups in attacks on diplomatic, political, economic, and military targets around the world.

In the latest campaign identified by Cisco Talos researchers, aChinese-speaking threat actor began attacking targets in August.

The researchers said they discovered four samples deployed as part of the campaign, including one sent to users in Uzbekistan’s Ministry of Foreign Affairs. Once opened, the sample drops a decoy document purporting to be about an investment project with content about a presidential decree about technical regulation.

The decoy document used content published in multiple Uzbekistan sources in 2021 as a lure to get people to open it, and the researchers believe the initial attack vector involved a phishing email with a malicious RAR file attached.

The researchers found three more documents used as decoys that were written in Korean.

They believe the hacker behind the campaign is based in China or is Chinese-speaking because two of the decoy files used were last modified by names written in Simplified Chinese.

Cisco Talos added that Chinese threat actors have long used versions of the Gh0st RAT malware for years and have a history of targeting organizations and people in Uzbekistan. Gh0st RAT, according to Cisco Talos, was created by a Chinese group and its source code was released publicly in 2008.

There are now multiple variants of the malware, which are used by Chinese-speaking actors for surveillance and espionage attacks.

SugarGh0st is customized to allow hackers greater reconnaissance capabilities, including the ability to search for specific keys, file extensions and more. It also allows hackers to deliver customized commands and evade detections.

“The remaining features, including taking full remote control of the infected machine, providing real-time and offline keylogging, hooks to the webcam of an infected machine, and downloading and running other arbitrary binaries on the infected host are aligned with the features of earlier Gh0st RAT variants,” they said.

“SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services.”

It can also take screenshots of the victim machine’s current desktop and switch to multiple windows. Cisco Talos researchers found that the malware allows hackers to access the victim’s machine camera to capture the screen and perform various file operations, including searching, copying, moving and deleting the files on the victim’s machine.

Last year, researchers from Symantec said hackers connected to the Chinese military were using a customized version of Gh0st RAT to target an IT service provider operating in multiple Asian countries as well as government agencies and enterprises involved in IT services, aerospace, and electric power industries located in Russia, Georgia and Mongolia.

Other cybersecurity companies saw the malware used last year in a larger campaign by Chinese targeting organizations and governments in Afghanistan, Bhutan, India, Nepal, Pakistan and Sri Lanka.

BriefsNation-stateChina
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Latest severe Chrome bug prompts CISA warning

Next Post

Russian region launches chatbot to report ‘extremist’ neighbors

Related Posts

Seiko says ransomware attack led to leak of 60,000 ‘items’ of personal data

Japanese watchmaker Seiko announced on Wednesday that a ransomware incident initially reported this summer resulted in the breach of about 60,000 pieces of personal data from customers, employees, business partners and job applicants.
Jason Macuray
Read More

U.S. Treasury Hamas Spokesperson for Cyber Influence Operations

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Friday announced sanctions against an official associated with Hamas for his involvement in cyber influence operations. Hudhayfa Samir ‘Abdallah al-Kahlut, 39, also known as Abu Ubaida, has served as the public spokesperson of Izz al-Din al-Qassam Brigades, the military wing of Hamas, since at least 2007. "He publicly
Avatar
Read More