Cyber Attack

SugarGh0st RAT Attacking Organizations & Individuals in AI Research

The cybersecurity company Proofpoint has found a new operation using the SugarGh0st Remote Access Trojan (RAT) that is going after AI research organizations in the United States.

The operation, linked to a threat cluster known as UNK_SweetSpecter, went after businesses, universities, and government agencies.

Attack Method: Emails with AI-themed bait

UNK_SweetSpecter’s campaign in May 2024 used a free email account to send emails with AI-themed traps to people who might be victims. These emails had a zip archive file to get people to open it.

The zip file dropped an LNK shortcut file that used a JavaScript dropper as soon as it was launched.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

This dropper is then put in the SugarGh0st RAT code.

The attack chain was very similar to a method that Cisco Talos had already reported.

It included a fake document, an ActiveX tool for sideloading, and a base64-encrypted binary file.

The JavaScript dropper was put in a library that later let JavaScript run a multi-stage shellcode, which was what released the SugarGh0st payload.

This payload was meant for data exfiltration, command and control (C2) heartbeat protocol, and keylogging.

Lure email

Analysis of Networks and Attribution

Proofpoint’s study of the network showed that UNK_SweetSpecter had moved its C2 communications to new domains, such as accounts. gommask[.]online, which shared hosting with domains that had already been reported.

It looks like AS142032 is where the infrastructure for these activities is located.

Cisco Talos’s first look at SugarGh0st RAT suggested that it was used by threat actors who spoke Chinese.

Proofpoint’s study of earlier UNK_SweetSpecter campaigns proved these mistakes in the language.

Proofpoint isn’t sure the campaigns were directed at a specific state goal.

Still, the fact that they were very specific and focused on AI experts suggests that the government might have been trying to get private information about generative AI.

A recent Reuters story said that the U.S. government is stepping up its efforts to prevent China from using generative AI.

This campaign is happening simultaneously, which makes it more likely that cybercriminals with ties to China will target people who have access to AI technologies to help them reach their growth goals.

Why it’s important

Enterprise defenders must monitor specific threat actors, which is difficult but necessary.

This campaign shows how important it is to set baselines to detect malicious behavior, even if the threat isn’t currently part of an organization’s threat model.

The fact that common tools are used as the first step in highly targeted spearphishing campaigns shows how important it is to be careful and have strong cybersecurity means in place.

The Yahoo! Paranoids Advanced Cyber Threats Team and Proofpoint’s collaboration was very helpful in locating this operation.

As cyber threats change, partnerships like these and thorough threat research will continue to be essential for protecting against complex attacks.

Indicators of compromise

Indicator Description First Observed
da749785033087ca5d47ee65aef2818d4ed81ef217bfd4bc07be2d0bf105b1bf SHA256
71f5ce42714289658200739ce0bbe439f6ef6fe77a5f6757b1cf21200fc59af7 SHA256
some problems.lnk
fc779f02a40948568321d7f11b5432676e2be65f037acfed344b36cc3dac16fc SHA2256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379 SHA256
feae7b2b79c533a522343ac9e1aa7f8a2cdf38691fbd333537cb15dd2ee9397e SHA256
account.gommask[.]online SugarGh0st RAT C2 Domain 2024-05-08
43.242.203[.]115 SugarGh0st RAT C2 IP 2024-05-08

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers


Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

1 hour ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

1 hour ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

4 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

5 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

9 hours ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

23 hours ago