www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american
Submission: On June 24 via api from US — Scanned from DE
Submission: On June 24 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
<form class="header-nav__search-form">
<input type="text" class="header-nav__search-input" placeholder="">
<input type="submit" class="header-nav__search-button" val="Search">
</form><form id="mktoForm_19277" data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="blogInterest" class="mktoField mktoFieldDescriptor mktoFormCol" value="All Blog Posts" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="19277" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american" placeholder=""><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor"
value="218199944.1719263947" placeholder="">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="blogInterest" class="mktoField mktoFieldDescriptor mktoFormCol" value="All Blog Posts" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div>
</form><form data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1600px; visibility: hidden; position: absolute; top: -500px; left: -1000px;"></form>Text Content
Skip to main content English (Americas) Search Login * Products * Solutions * Resources Proofpoint Contact Search * Products * Solutions * Partners * Resources * Company Search Login English (Americas) Products Solutions Partners Resources Company Protect People Multi-layered, adaptive defenses for threat detection, impersonation, and supplier risk. Email Security Impersonation Protection More products Defend Data Transform your information protection with a human-centric, omni-channel approach. Enterprise DLP Adaptive Email DLP Insider Threat Management Intelligent Compliance Mitigate Human Risk Unlock full user risk visibility and drive behavior change. Security Awareness Augment Your Capabilities Managed Services Product Packages More Protect People Products Account Take-Over and Identity Protection Secure vulnerable identities, stop lateral movement and privilege escalation. Adaptive Email Security Stop more threats with a fully integrated layer of behavioral AI. Secure Email Relay Secure your application email and accelerate DMARC implementation SOLUTIONS See how we solve today's complex cyber threats and attacks. Solutions by Industry People-centric solutions for your organization. Authenticate Your Email Protect your email deliverability with DMARC. Combat Email and Cloud Threats Protect your people from email and cloud threats with an intelligent and holistic approach. Change User Behavior Help your employees identify, resist and report attacks before the damage is done. Combat Data Loss and Insider Risk Prevent data loss via negligent, compromised and malicious insiders. Modernize Compliance and Archiving Manage risk and data retention needs with a modern compliance and archiving solution. Protect Cloud Apps Keep your people and their cloud apps secure by eliminating threats and data loss. Prevent Loss from Ransomware Learn about this growing threat and stop attacks by securing ransomware's top vector: email. Secure Microsoft 365 Implement the best security and compliance solution for Microsoft 365. SOLUTIONS BY INDUSTRY People-centric solutions for your organization. Federal Government Cybersecurity for federal government agencies. State and Local Government Protecting the public sector, and the public from cyber threats. Higher Education A higher level of security for higher education. Financial Services Eliminate threats, build trust and foster growth for your organization. Healthcare Protect clinicians, patient data, and your intellectual property against advanced threats. Mobile Operators Make your messaging environment a secure environment. Internet Service Providers Cloudmark email protection. Small and Medium Businesses Big-time security for small business. PARTNERS Deliver Proofpoint solutions to your customers. Channel Partners Archive Extraction Partners Learn about Extraction Partners. GSI and MSP Partners Learn about our global consulting. Technology and Alliance Partners Learn about our relationships. Social Media Protection Partners Learn about the technology and.... Proofpoint Essentials Partner Programs Small Business Solutions . Become a Channel Partner RESOURCES Find reports, webinars, blogs, events, podcasts and more. Resource Library Blog Keep up with the latest news and happenings. Webinars Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Podcasts Learn about the human side of cybersecurity. New Perimeters Magazine Get the latest cybersecurity insights in your hands. Threat Glossary Learn about the latest security threats. Events Connect with us at events to learn how to protect your people and data from ever-evolving threats. Customer Stories Read how our customers solve their most pressing cybersecurity challenges. COMPANY Proofpoint protects organizations' greatest assets and biggest risks: their people. About Proofpoint Why Proofpoint Learn about our unique people-centric approach to protection. Careers Stand out and make a difference at one of the world's leading cybersecurity companies. News Center Read the latest press releases, news stories and media highlights about Proofpoint. Privacy and Trust Learn about how we handle data and make commitments to privacy and other regulations. Environmental, Social, and Governance Learn how we apply our principles to positively impact our community. Support Access the full range of Proofpoint support services. Search Proofpoint Try searching for Email Security Phishing DLP Email Fraud Select Product Login * Support Log-in * Digital Risk Portal * Email Fraud Defense * ET Intelligence * Proofpoint Essentials * Sendmail Support Log-in Select Language * English (Americas) * English (Europe, Middle East, Africa) * English (Asia-Pacific) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 Blog Threat Insight Security Brief: Artificial Sweetener: SugarGh0st RAT Used to Target American Artificial Intelligence Experts SECURITY BRIEF: ARTIFICIAL SWEETENER: SUGARGH0ST RAT USED TO TARGET AMERICAN ARTIFICIAL INTELLIGENCE EXPERTS Share with your network! May 16, 2024 The Proofpoint Threat Research Team WHAT HAPPENED Proofpoint recently identified a SugarGh0st RAT campaign targeting organizations in the United States involved in artificial intelligence efforts, including those in academia, private industry, and government service. Proofpoint tracks the cluster responsible for this activity as UNK_SweetSpecter. SugarGh0st RAT is a remote access trojan, and is a customized variant of Gh0stRAT, an older commodity trojan typically used by Chinese-speaking threat actors. SugarGh0st RAT has been historically used to target users in Central and East Asia, as first reported by Cisco Talos in November 2023. In the May 2024 campaign, UNK_SweetSpecter used a free email account to send an AI-themed lure enticing the target to open an attached zip archive. Analyst note: Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been observed enough to receive a numerical TA designation. Lure email Following delivery of the zip file, the infection chain mimicked “Infection Chain 2” as reported by Cisco Talos. The attached zip file dropped an LNK shortcut file that deployed a JavaScript dropper. The LNK was nearly identical to the publicly available LNK files from Talos’ research and contained many of the same metadata artifacts and spoofed timestamps in the LNK header. The JavaScript dropper contained a decoy document, an ActiveX tool that was registered then abused for sideloading, and an encrypted binary, all encoded in base64. While the decoy document was displayed to the recipient, the JavaScript dropper installed the library, which was used to run Windows APIs directly from the JavaScript. This allowed subsequent JavaScript to run a multi-stage shellcode derived from DllToShellCode to XOR decrypt, and aplib decompress the SugarGh0st payload. The payload had the same keylogging, command and control (C2) heartbeat protocol, and data exfiltration methods. The main functional differences in the infection chain Proofpoint observed compared to the initial Talos report were a slightly modified registry key name for persistence, CTFM0N.exe, a reduced number of commands the SugarGh0st payload could run, and a different C2 server. The analyzed sample contained the internal version number of 2024.2. NETWORK ANALYSIS Threat Research analysis demonstrated UNK_SweetSpecter had shifted C2 communications from previously observed domains to account.gommask[.]online. This domain briefly shared hosting on 103.148.245[.]235 with previously reported UNK_SweetSpecter domain account.drive-google-com[.]tk. Our investigation identified 43.242.203[.]115 hosting the new C2 domain. All identified UNK_SweetSpecter infrastructure appears to be hosted on AS142032. CONTEXT Since SugarGh0st RAT was originally reported in November 2023, Proofpoint has observed only a handful of campaigns. Targeting in these campaigns included a U.S. telecommunications company, an international media organization, and a South Asian government organization. Almost all of the recipient email addresses appeared to be publicly available. While the campaigns do not leverage technically sophisticated malware or attack chains, Proofpoint’s telemetry supports the assessment that the identified campaigns are extremely targeted. The May 2024 campaign appeared to target less than 10 individuals, all of whom appear to have a direct connection to a single leading US-based artificial intelligence organization according to open source research. ATTRIBUTION Initial analysis by Cisco Talos suggested SugarGh0st RAT was used by Chinese language operators. Analysis of earlier UNK_SweetSpecter campaigns in Proofpoint visibility confirmed these language artifacts. At this time, Proofpoint does not have any additional intelligence to strengthen this attribution. While Proofpoint cannot attribute the campaigns with high confidence to a specific state objective, the lure theme specifically referencing an AI tool, targeting of AI experts, interest in being connected with “technical personnel,” interest in a specific software, and highly targeted nature of this campaign is notable. It is likely the actor’s objective was to obtain non-public information about generative artificial intelligence. The timing of the recent campaign coincides with an 8 May 2024 report from Reuters, revealing that the U.S. government was furthering efforts to limit Chinese access to generative artificial intelligence. It is possible that if Chinese entities are restricted from accessing technologies underpinning AI development, then Chinese-aligned cyber actors may target those with access to that information to further Chinese development goals. WHY IT MATTERS For enterprise defenders facing a near constant onslaught of vulnerabilities and threats, monitoring targeted threat actors often seems like a herculean task. This campaign is an example of how it’s worth establishing baselines to identify malicious activity, even if the threat may not currently exist across an organization's threat model. This activity also demonstrates how the operators of highly targeted spearphishing campaigns may find themselves relying on commodity tools for initial access. Proofpoint Threat Research thanks the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation. EMERGING THREATS SIGNATURES ET MALWARE SugarGh0st RAT CnC Checkin UNK_SweetSpecter SugarGh0st CnC Domain in DNS Lookup UNK_SweetSpecter SugarGh0st CnC Domain in TLS SNI INDICATORS OF COMPROMISE Indicator Description First Observed da749785033087ca5d47ee65aef2818d4ed81ef217bfd4bc07be2d0bf105b1bf SHA256 some problems.zip 2024-05-08 71f5ce42714289658200739ce0bbe439f6ef6fe77a5f6757b1cf21200fc59af7 SHA256 some problems.lnk 2024-05-08 fc779f02a40948568321d7f11b5432676e2be65f037acfed344b36cc3dac16fc SHA2256 ~235232302.js 2024-05-08 4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379 SHA256 libeay32.dll 2022-02-18 feae7b2b79c533a522343ac9e1aa7f8a2cdf38691fbd333537cb15dd2ee9397e SHA256 some_problems.docx 2024-05-08 account.gommask[.]online SugarGh0st RAT C2 Domain 2024-05-08 43.242.203[.]115 SugarGh0st RAT C2 IP 2024-05-08 Analyst note: The DLL hash has previously been observed in other attack chains and is not exclusive to SugarGh0st RAT campaigns. Previous Blog Post Next Blog Post SUBSCRIBE TO THE PROOFPOINT BLOG * Business Email: Submit * Business Email: Submit Products * Protect People * Defend Data * Mitigate Human Risk * Premium Services Get Support * Product Support Login * Support Services * IP Address Blocked? Connect with Us * +1-408-517-4710 * Attend an Event * Contact Us * Free Demo Request More * About Proofpoint * Why Proofpoint * Careers * Leadership Team * News Center * Privacy and Trust © 2024. All rights reserved. Terms and conditions Privacy Policy Sitemap * * * *