Unveiling SpiceRAT: Latest tool targeting EMEA and Asia

June 24, 2024, 8:23 a.m.

Description

Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, employed by the threat actor SneakyChef in a recent malicious campaign. The campaign targeted government agencies across multiple countries in Europe, the Middle East, Africa, and Asia. SpiceRAT was delivered alongside SugarGh0st malware through phishing emails with RAR attachments containing LNK or HTA files as initial vectors. SpiceRAT utilizes sideloading techniques, leveraging legitimate executables to load malicious components. It gathers system reconnaissance data, communicates with command-and-control servers, and can download additional plugins to expand its capabilities. The report details two infection chains, the malware's analysis, and indicators of compromise.

External References

https://blog.talosintelligence.com/new-spicerat-sneakychef/
https://otx.alienvault.com/pulse/66792860d0727814a5dee041
Tags
rat
phishing
sugargh0st
sideloading
2024-06-24
spicerat

Date

  • Created: June 24, 2024, 8:03 a.m.
  • Published: June 24, 2024, 8:03 a.m.
  • Modified: June 24, 2024, 8:23 a.m.

Indicators

  • 94.198.40.4
  • 45.144.31.57
  • http://94.198.40.4/homepage/index.aspx
  • http://stock.adobe-service.net/homepage/index.aspx
  • http://45.144.31.57:80/S1VRB0HpMXR79eStog35igWKVTsdbx/chromeupdate.zip
  • stock.adobe-service.net
Download all indicators here!

Attack Patterns

  • SugarGh0st
  • SpiceRAT
  • SneakyChef
  • T1119
  • T1136
  • T1070
  • T1574
  • T1547
  • T1105
  • T1036
  • T1027
  • T1195
  • T1566
  • T1059

Additional Informations

  • Government
  • Turkmenistan
  • Angola