Security researchers have warned about a new cyberespionage campaign that targets artificial intelligence experts working in private industry, government and academia. The attackers, likely of Chinese origin, are using a remote access trojan (RAT) called SugarGh0st.

“The timing of the recent campaign coincides with an 8 May 2024 report from Reuters, revealing that the US government was furthering efforts to limit Chinese access to generative artificial intelligence,” researchers from security firm Proofpoint found in their analysis. “It is possible that if Chinese entities are restricted from accessing technologies underpinning AI development, then Chinese-aligned cyber actors may target those with access to that information to further Chinese development goals.”

It’s worth noting though that Proofpoint has not confidently linked this to a known threat actor, much less a state-aligned one, and for now it attributes the activity to a temporary UNK_SweetSpecter alias.

SugarGh0st is a customized version of a commodity trojan program called Gh0stRAT that has historically been used in attacks by many Chinese groups. SugarGh0st itself was first documented by researchers from Cisco Talos in November 2023 when it was used against government targets in Uzbekistan and South Korea.

At the time, the Talos team attributed the attacks with low confidence to a Chinese-speaking threat actor due to Chinese language artifacts present in the trojan’s code. According to Proofpoint, those artifacts still exist in the samples used in this new campaign against AI experts and the infection chain is similar to that used in the November attack.

Phishing used as initial access point

The victims are targeted via email phishing with an AI-themed lure where the attackers presented themselves as users of a tool the victims would be familiar with and asking for help with a problem. The emails carried a malicious ZIP attachment with a .LNK (Windows shortcut) file inside.

LNK files are a common distribution mechanism for malware because they can be used to execute shell commands. In this case, the rogue LNK file contained command line parameters to execute JavaScript code that acted as a malware dropper.

Malware dropper is a program or script used to “drop” additional payloads on a system, either by decrypting their code stored in an existing file or by downloading the payloads from a remote location.

“The JavaScript dropper contained a decoy document, an ActiveX tool that was registered then abused for sideloading, and an encrypted binary, all encoded in base64,” the Proofpoint researchers said. “While the decoy document was displayed to the recipient, the JavaScript dropper installed the library, which was used to run Windows APIs directly from the JavaScript.”

The JavaScript dropper leverages the ActiveX library to execute shellcode on the system to create a registry startup entry called CTFM0N.exe and reflectively load the SugarGh0st binary in memory.

SugarGh0st RAT used in highly targeted attacks

The SugarGh0st RAT connects to a remote command-and-control (C2) server that’s different from the one used in November. Its functionality includes collecting information about the infected system and launching a reverse shell through which attackers can access the system and execute commands.

Proofpoint has monitored several attack campaigns that have used SugarGh0st since November and all of them can be described as highly targeted. Targets included a US telecommunications company, an international media organization, a South Asian government organization and now around 10 individuals that have connections to a leading US-based artificial intelligence organization. 

“While Proofpoint cannot attribute the campaigns with high confidence to a specific state objective, the lure theme specifically referencing an AI tool, targeting of AI experts, interest in being connected with ‘technical personnel,’ interest in a specific software, and highly targeted nature of this campaign is notable,” the researchers said. “It is likely the actor’s objective was to obtain non-public information about generative artificial intelligence.”

The Proofpoint report includes indicators of compromise in the form of file hashes, URLs and IP addresses used in the campaign, as well as detection signatures.