SugarGh0st RAT Variant Used in Targeted AI Industry Attacks

Written by

Cybersecurity researchers have recently uncovered a sophisticated cyber campaign targeting organizations involved in artificial intelligence endeavors in the United States. 

The May 2024 campaign, dubbed UNK_SweetSpecter, employs the SugarGh0st RAT, a remote access trojan tailored from the Gh0stRAT. This variant, historically linked to Chinese-speaking threat actors, has now been repurposed to target AI-related entities.

As described in an advisory published by Proofpoint today, the attacks utilized a free email account to distribute AI-themed lures, enticing recipients to open attached zip archives. 

Following this, the infection chain closely mirrored a pattern previously identified by Cisco Talos. Notably, the attackers modified registry key names for persistence and utilized a different command-and-control (C2) server.

The Proofpoint analysis revealed that UNK_SweetSpecter shifted C2 communications to a new domain, account.gommask[.]online, highlighting the attackers’ agility. 

Since its initial report, SugarGh0st RAT has been implicated in only a few campaigns, indicating highly targeted operations. 

“While the campaigns do not leverage technically sophisticated malware or attack chains, [our] telemetry supports the assessment that the identified campaigns are extremely targeted,” Proofpoint wrote.

“The May 2024 campaign appeared to target less than ten individuals, all of whom appear to have a direct connection to a single leading US-based artificial intelligence organization according to open source research.”

Initial attribution pointed towards Chinese language operators, although no definitive evidence supports this claim. However, the campaign’s focus on AI experts and the timing coinciding with US-China tensions over AI access suggest potential motives.

“It is possible that if Chinese entities are restricted from accessing technologies underpinning AI development, then Chinese-aligned cyber actors may target those with access to that information to further Chinese development goals,” Proofpoint explained.

Read more on AI-related threats: RSA eBook Details How AI will Transform Cybersecurity in 2024

What’s hot on Infosecurity Magazine?