在最近的調查結果中，Cisco Talos 發現了一個新的駭客攻擊組織，被稱為“CoralRaider”，我們相信該駭客組織來自越南，且目標是竊取金融相關的資料。 CoralRaider 自 2023 年開始行動，主要針對亞洲和東南亞國家的受害者，專注於竊取憑證、財務資料和社交媒體帳戶，包括商業和廣告資料。值得注意的是，CoralRaider 使用了dead-drop 技術，利用合法服務來託管 C2 設定檔和不常見的 living-off-the-land 程式 (LoLBins)，如 Windows Forfiles.exe 和 FoDHelper.exe。

Talos 於 2024 年 2 月發現，CoralRaider 發起了一場新的活動，傳播著名的資訊竊取惡意軟體，包括 Cryptbot、LummaC2 和 Rhadamanthys。駭客攻擊組織採用創新策略，將 PowerShell 命令列參數嵌入 LNK 檔案中，以逃避防毒偵測並方便將惡意軟體下載到受害者主機上。 Talos 有一定把握地認為 CoralRaider 是此波攻擊的幕後組織，並指出先前的 Rotbot 活動中觀察到的策略、技術和程序 (TTP) 有重疊。這些包括利用 Windows 捷徑檔案作為初始攻擊媒介、中間 PowerShell 解密器和 FoDHelper 技術來繞過受害者機器上的使用者存取控制 (UAC)。

這項研究揭示了 CoralRaider 不斷演變的策略，並強調了持續威脅情報對於有效打擊新興網路威脅的重要性。了解此類駭客攻擊組織的作案手法對於加強防禦和降低當今網路安全情勢下的風險至關重要。

This presentation is about a malicious campaign operated by a Chinese-speaking threat actor, SneakyChef, targeting government agencies, likely the Ministry of External/ Foreign Affairs or Embassies of various countries since as early as 2023, using SugarGh0st RAT and SpiceRAT.  

Talos assesses with high confidence that SneakyChef operators are likely Chinese-speaking based on their language preferences, usage of the variants of Chinese’s popular malware of choice, Gh0st RAT, and the specific targets, which include the Ministry of External Affairs of various countries and other government entities with the motive of Espionage and data theft. 

Their notable TTPs include Spear-Phishing campaigns, DLL Side-Loading, custom c2 communication protocol, and abusing legitimate applications.

SneakyChef has used various techniques in this campaign with multi-staged attack chains to deliver the payload SugarGh0st and SpiceRAT. Throughout this presentation, I will discuss various attach-chains and the techniques the threat actor has employed to establish persistence, evade the detections, and implant the RATs successfully. 

Finally, I will share the indications of SneakyChef’s origin as a Chinese-speaking actor and the attribution of the SugarGh0st and SpiceRAT attacks to them.