Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia Chetan Raghuprasad Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. We observed that SneakyChef launched a phishing campaign, sending emails delivering SugarGh0st and SpiceRAT with the same email address. We identified two infection chains used to deliver SpiceRAT utilizing LNK and HTA files as the initial attack vectors. Cisco Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation. SneakyChef delivered SpiceRAT to target Angola government with lures from Turkmenistan news agency Talos recently revealed SneakyChef’s continuing campaign targeting government agencies across several countries in EMEA and Asia, delivering the SugarGh0st malware (read the corresponding research here). However, we found a new malware we dubbed “SpiceRAT” was also delivered in this campaign.
SneakyChef is using a name "ala de Emissão do Edifício B Mutamba" and the email address “dtti.edb@[redated]” to send several phishing emails with at least 28 different RAR file attachments to deliver either SugarGh0st or SpiceRAT. One of the decoy PDFs that we analysed in this campaign was dropped by a RAR archive, delivered as an attachment in the emails likely targeted Angolan government agencies. The decoy PDF contained lures from the Turkmenistan state-owned news media “ТУРКМЕНСКАЯ ГОСУДАРСТВЕННАЯ ИЗДАТЕЛЬСКАЯ СЛУЖБА” (Neytralnyy Turkmenistan), indicating that the actor has likely downloaded the PDF from their official website. We also found that a similar decoy PDF from the same news agency was dropped by the RAR archive that delivered the SugarGh0st malware in this campaign, highlighting that SneakyChef has SugarGh0st RAT and SpiceRAT payloads in their arsenal.

Phase: Initial Access

• Technique: Phishing via Malicious Email
• Procedure: The threat actor, SneakyChef, sends phishing emails from the address “dtti.edb@[redacted]” containing RAR file attachments. These RAR files include LNK and HTA files as initial attack vectors.

Phase: Execution

• Technique: Malicious LNK and HTA File Execution
• Procedure:
• LNK File Execution: When the LNK file is executed, it likely initiates a script or application, though specific command lines are not provided in the report.
• HTA File Execution: The HTA file may execute a script to deploy and execute the payloads SugarGh0st or SpiceRAT on the target system.

Phase: Payload Delivery

• Technique: Delivery of Payloads via Email Attachments
• Procedure: The payloads SugarGh0st and SpiceRAT are delivered through RAR file attachments in phishing emails.

Phase: Defense Evasion

• Technique: Use of Decoy Documents
• Procedure: The RAR archive contains a decoy PDF from the Turkmenistan state-owned news agency to distract the target and obscure the malicious activity.

Phase: Impact

• Technique: Remote Access Trojan Deployment (SpiceRAT)
• Procedure: Once executed, SpiceRAT establishes remote access capabilities on the infected systems, allowing the attacker to perform further actions based on their objectives.

The LNK-based infection chain begins with a malicious RAR file that contains a Windows shortcut file (LNK) and a hidden folder. This folder contains multiple components, including a malicious executable launcher, a legitimate executable, a malicious DLL loader, an encrypted SpiceRAT masquerading as a legitimate help file (.HLP) and a decoy PDF. The table below shows an example of the components of this attack chain and the description. File Name Description 2024-01-17.pdf.lnk Malicious shortcut file LaunchWlnApp.exe Windows EXE to open decoy PDF and run a legitimate EXE dxcap.exe Benign executable to side-load the malicious DLL ssMUIDLL.dll Malicious DLL loader CGMIMP32.HLP Encrypted SpiceRAT Microsoftpdf.pdf Decoy PDF When the victim extracts the RAR file, it drops the LNK and a hidden folder on their machine. After a victim opens the shortcut file, which masqueraded as a PDF document, it executes an embedded command to run the malicious launcher executable from the dropped hidden folder.

Phase: Initial Access

• Technique: Phishing with Malicious Archive
• Procedure: User is tricked into extracting a RAR file containing a shortcut (LNK) and hidden folder with malicious components.

Phase: Execution

• Technique: LNK File Execution

• Procedure: Opening the LNK file triggers an embedded command to execute LaunchWlnApp.exe from a hidden folder.

• Technique: DLL Side-Loading

• Procedure: LaunchWlnApp.exe runs dxcap.exe, a legitimate executable, which side-loads the malicious ssMUIDLL.dll.

Phase: Delivery

• Technique: Malware Decryption and Loading
• Procedure: The malicious DLL loader (ssMUIDLL.dll) decrypts and executes CGMIMP32.HLP (SpiceRAT).

Phase: Defense Evasion

• Technique: Masquerading
• Procedure: Files are named and structured to appear as legitimate documents and executables, such as the decoy PDF (Microsoftpdf.pdf).

Decoy PDF samples of SugarGh0st and SpiceRAT attacks. Two infection chains Talos discovered two infection chains employed by SneakyChef to deploy SpiceRAT. Both infection chains involved multiple stages launched by an HTA or LNK file.
LNK-based infection chain

Phase: Initial Access

• Technique: Spear-Phishing Attachment
• Procedure: The attacker sends a spear-phishing email containing a malicious LNK file designed to initiate the infection chain.

Phase: Execution

• Technique: LNK File Execution
• Command: Double-clicking the LNK file triggers the execution, which then runs a Command Prompt or PowerShell command to download and execute further payloads.

Phase: Execution

• Technique: HTA Execution
• Procedure: The LNK file may execute an HTA (HTML Application) file which uses scripting (e.g., VBScript) to download and run additional components of the attack.

Phase: Persistence

• Technique: Registry Modification for Persistence
• Command: Likely modification of the registry to add a Run key entry to ensure SpiceRAT runs on system startup.

Phase: Command and Control

• Technique: Encrypted Communication
• Procedure: SpiceRAT establishes an encrypted communication channel to receive commands and exfiltrate data. Likely involves HTTP/HTTPS POST requests with encrypted data payloads.

Phase: Execution (Payload Deployment)

• Technique: Remote Access Tool Deployment
• Procedure: Final payload deployment involves deploying SpiceRAT to provide remote access and control over the infected host. The RAT can execute various commands received from its C2 server.

Sample LNK file that starts the malicious launcher EXE. This malicious launcher executable is a 32-bit binary compiled on Jan. 2, 2024. When launched by the shortcut file, it reads the victim machine’s environment variable, the execution path of the legitimate executable and the path of the decoy PDF document and runs them using the API ShellExecuteW.
Sample function that starts the legitimate EXE and opens the decoy document. The legitimate file is one of the components of SpiceRAT infection, which will sideload the malicious DLL loader to decrypt and launch the SpiceRAT payload. HTA-based infection chain The HTA-based infection chain also begins with a RAR archive delivered with the email. The RAR file contains a malicious HTA file. When the victim runs the malicious HTA file, the embedded malicious Visual Basic script executes and drops the embedded base64-encoded downloader binary into the victim’s user profile temporary folder, disguised as a text file named “Microsoft.txt.”

Phase: Initial Access

• Technique: LNK File Execution
• Procedure: The attacker uses a .lnk file to start a malicious launcher executable. This executable reads environment variables and paths, then utilizes ShellExecuteW to run the legitimate executable and open a decoy PDF document.

Phase: Execution

• Technique: DLL Sideloading
• Procedure: The legitimate executable is part of the SpiceRAT infection process, which sideloads a malicious DLL to decrypt and execute the SpiceRAT payload.

Phase: Initial Access (Alternative Chain)

• Technique: HTA File Execution
• Procedure: An HTA file delivered via a RAR archive runs a malicious Visual Basic script, which extracts and executes an embedded, base64-encoded downloader binary.

Phase: Execution (Alternative Chain)

• Technique: Visual Basic Script Execution
• Procedure: The VB script drops a downloader disguised as "Microsoft.txt" in the user's profile temporary folder. This downloader is used to facilitate further stages of the infection process.

After dropping the malicious downloader executable, the HTA file executes another function, which drops and executes a Windows batch file in the victim’s user profile temporary folder, named “Microsoft.bat.”
The malicious batch file performs the following operations on the victim’s machine: The certutil command decodes the base64-encoded binary data from “Microsoft.txt” and saves it as “Microsoft.exe” in the victim’s user profile temporary folder.
certutil -decode %temp%\Microsoft.txt %temp%\Microsoft.exe It creates a Windows scheduled task that runs the malicious downloader every five minutes, supressing any warnings that it triggers when the same task name existed.
schtasks /create /tn MicrosoftEdgeUpdateTaskMachineClSAN /tr %temp%\Microsoft.exe /sc minute -mo 5 /F The batch script creates another Windows task named “MicrosoftDeviceSync” to run a downloaded legitimate executable “ChromeDriver.exe” every 10 minutes.
schtasks /create /tn MicrosoftDeviceSync /tr C:\ProgramData\Chrome\ChromeDirver.exe / sc minute -mo 10 /F After establishing persistence with the Windows scheduled task, the batch script runs three other commands to erase the infection markers. This includes deleting the Windows task named MicrosoftDefenderUpdateTaskMachineClSAN and removing the encoded downloader “Microsoft.txt,” the malicious HTA file, and any other contents unpacked from the RAR file attachment.
schtasks /delete /f /tn MicrosoftDefenderUpdateTaskMachineClSAN del /f /q %temp%\Microsoft.txt %temp%\Microsoft.hta

Phase: Execution

• Technique: Scripting with Batch Files
• Description: Executes a batch file named "Microsoft.bat" in the victim's temporary folder.

Phase: Defense Evasion

• Technique: Obfuscated Files or Information (certutil)
• Command:
  bash certutil -decode %temp%\\Microsoft.txt %temp%\\Microsoft.exe

Phase: Persistence

• Technique: Scheduled Task for Persistence
• Command 1:
  bash schtasks /create /tn MicrosoftEdgeUpdateTaskMachineClSAN /tr %temp%\\Microsoft.exe /sc minute -mo 5 /F
• Command 2:
  bash schtasks /create /tn MicrosoftDeviceSync /tr C:\\ProgramData\\Chrome\\ChromeDirver.exe /sc minute -mo 10 /F

Phase: Cleanup

• Technique: Indicator Removal on Host
• Command 1:
  bash schtasks /delete /f /tn MicrosoftDefenderUpdateTaskMachineClSAN
• Command 2:
  bash del /f /q %temp%\\Microsoft.txt %temp%\\Microsoft.hta

del %0 The malicious downloader is a 32-bit executable compiled on March 5, 2024. After running on the victim’s machine through the Windows task MicrosoftEdgeUpdateTaskMachineClSAN, it downloads a malicious archive file “chromeupdate.zip” from an attacker-controlled server through a hardcoded URL and unpacks its contents into the folder at “C:\ProgramData\Chrome”. The unpacked files are the components of SpiceRAT.
A sample function of the malicious downloader. Analysis of SpiceRAT Both infection chains eventually drop the SpiceRAT files into victim machines. The SpiceRAT files include four main components: a legitimate executable file, a malicious DLL loader, an encrypted payload and the downloaded plugins.
The loader components of SpiceRAT Legitimate executable The threat actor is using a legitimate executable (named “RunHelp.exe”) as a launcher to sideload the malicious DLL loader file (ssMUIDLL.dll). This legitimate executable is a Samsung RunHelp application signed with the certificate of "Samsung Electronics CO., LTD.” In some instances, it has been observed masquerading as “dxcap.exe,” a DirectX diagnostic included with Visual Studio, and “ChromeDriver.exe,” an executable that Selenium WebDriver uses to control the Google

Phase: Initial Access

• Technique: Task Scheduler
• Procedure: Execution through Windows task MicrosoftEdgeUpdateTaskMachineClSAN.

Phase: Execution

• Technique: File Downloader
• Command/Procedure:
• Downloader executed to fetch “chromeupdate.zip” from a hardcoded URL.

Phase: Persistence

• Technique: DLL Sideloading
• Procedure:
• Legitimate Executable: Use of RunHelp.exe to sideload the malicious DLL ssMUIDLL.dll.
• Alternate Executables: Sometimes masquerades as dxcap.exe or ChromeDriver.exe.

Phase: Execution

• Technique: Archive Decompression
• Procedure: Unpacking “chromeupdate.zip” into C:\ProgramData\Chrome.

Phase: Payload Delivery

• Technique: RAT Deployment
• Procedure: Infecting machines with the components of SpiceRAT (includes a legitimate executable, a malicious DLL loader, an encrypted payload, and plugins).

Chrome web browser. File properties and digital signature details of the legitimate executable. The legitimate Samsung helper application typically loads a DLL called “ssMUIDLL.dll.” In this attack, the threat actor abuses the application by sideloading a malicious DLL loader that is masquerading as the legitimate DLL and executes its exported function GetFulllangFileNamew2. Sample function that side-loads the malicious DLL. Malicious DLL loader The malicious loader is a 32-bit DLL compiled on Jan. 2, 2024. When its exported function GetFullLangFileNameW2() is run, it copies the downloaded legitimate executable into the folder "C:\Users\\AppData\Local\data\” as “dxcap.exe” along with the malicious DLL “ssMUIDLL.dll” and the encrypted SpiceRAT payload “CGMIMP32.HLP.”
A sample function copies the SpiceRAT components. It executes the schtasks command to create a Windows task named “Microsoft Update,” configured to run “dxcap.exe” every two minutes. This technique establishes persistence at multiple locations on the victim's machine to maintain resilience.
schtasks -CreAte -sC minute -mo 2 -tn "Microsoft Update" -tr "C: \Users\\AppData\Local\data\dxcap.exe"

Phase: Execution

• Technique: DLL Sideloading
• Procedure: The threat actor sideloads a malicious DLL "ssMUIDLL.dll" that abuses a legitimate Samsung helper application. The malicious DLL is executed using its exported function GetFullLangFileNameW2().

Phase: Persistence

• Technique: Scheduled Task for Persistence
• Command: schtasks /create /sc minute /mo 2 /tn "Microsoft Update" /tr "C:\Users\<User>\AppData\Local\data\dxcap.exe"

Phase: Execution

• Technique: Execution of Malicious Payload
• Procedure: Copies the downloaded legitimate executable as "dxcap.exe" along with the malicious DLL "ssMUIDLL.dll" and encrypted payload "CGMIMP32.HLP" into "C:\Users\\AppData\Local\data\". This setup ensures the execution of "dxcap.exe" at regular intervals.

A sample function that decrypts the SpiceRAT in memory. The SpiceRAT payloads Talos discovered that SneakyChef has employed SpiceRAT and its plugin as the payloads in this campaign. With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim’s network, paving the way for further attacks.
SpiceRAT is a 32-bit Windows executable with three malicious export functions GetFullLangFileNameW2, WinHttpPostShare and WinHttpFreeShareFree. Initially, it executes the GetFullLangFileNameW2 function, creating a mutex as an infection marker on the victim machine. The mutex name is hardcoded in the RAT binary. We spotted two different mutex names among the SpiceRAT samples that we analyzed: {00866F68-6C46-4ABD-A8D6-2246FE482F99}
{00861111-3333-4ABD-GGGG-2246FE482F99} After the Mutex is created, the RAT collects reconnaissance data from the victim’s machine, including the operating system’s version number, hostname, username, IP address and the system’s network card hardware address (MAC address). The reconnaissance data is then encrypted and stored in the machine’s memory.

Phase: Initial Access

• Technique: Use of RAT for Remote Access
• Procedure: Deployment of SpiceRAT as a payload to gain initial access and execute further commands.

Phase: Execution

• Technique: Execution via Export Functions
• Procedure: SpiceRAT uses the GetFullLangFileNameW2 function to establish presence and create a mutex.

Phase: Persistence

• Technique: Mutex Creation
• Procedure:
• Create mutex for infection marker:
  • CreateMutex with names {00866F68-6C46-4ABD-A8D6-2246FE482F99} or {00861111-3333-4ABD-GGGG-2246FE482F99}.

Phase: Discovery

• Technique: System Information Discovery
• Procedure: Collect system information including OS version, hostname, username, IP address, and network card MAC address.

Phase: Defense Evasion

• Technique: In-Memory Encryption
• Procedure: Encrypt reconnaissance data and store it in memory to avoid detection.

This structured outline captures the essential TTPs used by the threat actor leveraging SpiceRAT, suitable for emulation by a red team.

A sample function that creates Windows task. Then the loader DLL takes the snapshot of the running processes in the victim machine and checks if the legitimate executable that sideloads this malicious DLL is being debugged by querying its process information using “NtQueryInformationProcess.” The loader DLL executes another function that loads the encrypted file “CGMIMP32.HLP,” which is masquerading as a legitimate Windows help file into memory and decrypts it using the RC4 encryption algorithm. In one of the samples, we found that the DLL used a key phrase “{11AADC32-A303-41DC-BF82-A28332F36A2E}” for decrypting SpiceRAT in memory. After decryption, the loader DLL injects and runs the SpiceRAT from memory to its parent process “dxcap.exe.”

Phase: Persistence

• Technique: Create Scheduled Task
• Procedure: The threat actor uses a function to create a Windows task to establish persistence.

Phase: Defense Evasion

• Technique: Process Debugging Check
• Procedure: The loader DLL takes a snapshot of running processes and uses NtQueryInformationProcess to check for debugging attempts on the legitimate executable that sideloads the malicious DLL.

Phase: Execution

• Technique: Sideload Malicious DLL
• Procedure: The loader DLL utilizes sideloading to execute within a legitimate process.

Phase: Collection

• Technique: Memory Decryption
• Procedure:
• The loader DLL loads an encrypted file, CGMIMP32.HLP, into memory, masquerading as a legitimate Windows help file.
• It decrypts the file using the RC4 encryption algorithm with the key phrase "{11AADC32-A303-41DC-BF82-A28332F36A2E}".

Phase: Execution

• Technique: Process Injection
• Procedure: The loader DLL injects and executes SpiceRAT from memory into its parent process dxcap.exe.

A sample function that encrypts the reconnaissance data in memory. During runtime, the RAT loads the WININET.dll file and imports the addresses of its functions to prepare for C2 communication.
A sample function that loads the APIs of WININET.dll. Once the function addresses of WININET.dll are imported, the RAT executes the WinHttpPostShare function to communicate with the C2. It connects to the C2 server with a hardcoded URL in the binary and through the HTTP POST method. Then, it attempts to read and send the encrypted stream of reconnaissance data and user credentials from memory to the C2 server. The C2 server responds with an encrypted message enclosed with HTML tags in the format “ ”. The RAT decrypts the response and writes them into the memory stream.
We discovered that the C2 server sends an encrypted stream of binary to the RAT. The RAT decrypts the binary stream into a DLL file in the memory and executes its exported functions. The decrypted DLL functions as a plugin to the SpiceRAT.

Phase: Command and Control (C2) Communication

• Technique: Dynamic API Resolution

• Procedure: The RAT dynamically loads the WININET.dll and resolves function addresses to prepare for C2 communication.

• Technique: Data Exfiltration Over C2 Channel

• Command: Executes WinHttpPostShare with a hardcoded URL to communicate with the C2 server via HTTP POST.

Phase: Data Handling

• Technique: In-Memory Encryption
• Procedure: Encrypts reconnaissance data and user credentials in memory before exfiltration.

Phase: C2 Response Handling

• Technique: Data Decryption
• Procedure: Receives an encrypted response from the C2 server, decrypts it, and processes the enclosed data.

Phase: In-Memory Execution

• Technique: Fileless Execution
• Procedure: Decrypts a binary stream into a DLL within memory and executes its exported functions as a plugin to the RAT.

This structured attack flow enables the red team to emulate the techniques used in reconnaissance, exfiltration, and dynamic execution noted in the threat actor's procedures.

A sample function to run a PE file. C2 communications SneakyChef’s infrastructure includes the malware’s download and command and control (C2) servers. In one attack, the threat actor hosted a malicious ZIP archive on the server 45[.]144[.]31[.]57 and hardcoded the following URL in a malicious downloader executable.
http://45[.]144[.]31[.]57:80/S1VRB0HpMXR79eStog35igWKVTsdbx/ chromeupdate.zipservers We observed that the threat actor used IP addresses and domain names to connect to the C2 servers in different samples of SpiceRAT in this campaign. Our research uncovered various C2 URLs hardcoded in SpiceRAT samples.
hxxp[://]94[.]198[.]40[.]4/homepage/index.aspx hxxp[://]stock[.]adobe-service[.]net/homepage/index.aspx hxxp[://]app[.]turkmensk[.]org[/]homepage[/]index.aspx One of the C2 servers, 94[.]198[.]40[.]4, was found to be running Windows Server 2016 and hosted on the M247 network, which is frequently abused by APT groups. Passive DNS resolution data indicate that the IP address 94[.]198[.]40[.]4 resolved to the domain app[.]turkmensk[.]org and we found another SpiceRAT sample in the wild that communicated with this domain.
Further analysis of the C2 server 94[.]198[.]40[.]4 uncovered a unique C2 communication pattern of SpiceRAT. The SpiceRAT initially sends the encrypted reconnaissance data to the C2 URL through the HTTP POST method. The C2 server then responds with an encrypted message embedded in the HTML tags.
We observed that the SpiceRAT and its C2 servers use a three-byte prefix for their first three requests and responses, as shown in the table below.

Phase: Execution

• Technique: PE File Execution
• Procedure: A sample function is used to execute a PE file. This typically involves loading the file into memory and using APIs to execute it.

Phase: C2 Communication

• Technique: HTTP Communication with C2
• Procedure:
• The malware downloader executable is hardcoded to fetch a malicious ZIP archive using the URL format:
  http://<C2_IP>:80/<Path>/chromeupdate.zip
• SpiceRAT communicates with C2 servers using URLs such as:
  • http://94.198.40.4/homepage/index.aspx
  • http://stock.adobe-service.net/homepage/index.aspx
  • http://app.turkmensk.org/homepage/index.aspx
• The malware sends encrypted reconnaissance data via HTTP POST.
• C2 response includes an encrypted message within HTML tags.
• Uses a three-byte prefix for initial requests and responses to maintain communication patterns.

This structured detail provides the necessary information for red team emulation focused on the specific TTPs observed in the report.

Sample function of SpiceRAT executing the export functions of plugin. SpiceRAT plugin enables further attacks
SpiceRAT plugin is a 32-bit dynamic link library compiled on March 28, 2023. The plugin has an original filename “Moudle.dll” and has two export functions: Download and RunPE. The Download function of the plugin appears to access decrypted response data from the C2 server stored in the victim’s memory and writes them into a file on disk, likely as commanded by the C2. The downloader function of SpiceRAT plugin. The RunPE function appears to execute arbitrary commands or binaries that were likely sent from C2 using the WinExec API.

Phase: Execution

• Technique: Use of Malicious Plugin (SpiceRAT)
• Procedure: The attacker utilizes the SpiceRAT plugin, a 32-bit DLL, with the original filename "Moudle.dll."

Phase: Command and Control

• Technique: Download and Execute

• Function: Download

  • Procedure: Accesses decrypted response data from the C2 server stored in memory and writes it to a file on disk as instructed by the C2.

• Function: RunPE

  • Procedure: Executes arbitrary commands or binaries received from the C2 using the WinExec API.

TTPs overlap with other malware campaigns
Talos assesses with medium confidence that the actor SneakyChef, using SpiceRAT and SugarGh0st RAT is a Chinese-speaking actor based of the language observed in the artifacts and overlapping TTPs with other malware campaigns.
In this campaign, we saw that SpiceRAT leverages the sideloading technique, utilizing a legitimate loader alongside a malicious loader and the encrypted payload. Although sideloading is a widely adopted tactic, technique and procedure (TTP), the choice to use the Samsung helper application to sideload the malicious DLL masquerading “ssMUIDLL.dll” file is particularly notable. This method has been previously observed in the PlugX and SPIVY RAT campaigns. Coverage Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Phase: Defense Evasion

• Technique: DLL Sideloading
• Procedure: The attacker uses a legitimate loader application to load a malicious DLL masquerading as "ssMUIDLL.dll" to execute the encrypted payload. This is achieved by utilizing the Samsung helper application for sideloading.

Phase: Execution

• Technique: Remote Access Tool (RAT) Deployment
• Tools: SpiceRAT and SugarGh0st RAT
• Procedure: The RATs are executed following the sideloading of the malicious DLL. These tools are leveraged for further activities such as reconnaissance, data exfiltration, or command execution.

Inference for Potential Commands

1. Loading the Malicious DLL:

2. While specific commands aren't provided, typical sideloading might involve:

   • Executing the legitimate application which loads the malicious DLL, e.g., legit_loader.exe

3. RAT Execution:

4. Execution might be invoked via the loaded DLL, activating the SpiceRAT or SugarGh0st functionalities.

By understanding these techniques and potential procedures, the red team can simulate similar attack patterns to strengthen defenses and enhance readiness against TTPs involving DLL sideloading and RAT deployment.

C2 server response prefix Our analysis suggests that the second request that SpiceRAT sends likely contains the encrypted stream of the victim’s machine user credentials. We found that for the third request that SpiceRAT sends from the victim machine, the C2 server responds with an encrypted stream of the SpiceRAT’s plugin binary. SpiceRAT then decrypts and injects the plugin DLL reflectively.
Once the plugin is downloaded and implanted on the victim’s machine, SpiceRAT sends another request with the prefix “wG.” The C2 server responds with an unencrypted message “D_OK”, likely to get a confirmation of successful payload download.

Phase: Command and Control (C2) Communication

• Technique: Encrypted C2 Communication and DLL Injection

• Procedure 1: SpiceRAT sends an encrypted stream likely containing victim machine user credentials to the C2 server.

• Procedure 2: The C2 server responds with an encrypted plugin binary stream. SpiceRAT decrypts this stream and injects the plugin DLL reflectively into the victim's system.

• Technique: C2 Communication for Confirmation

• Procedure 3: After plugin implantation, SpiceRAT sends a request with the prefix "wG" to the C2 server. The server responds with the message "D_OK" to confirm successful payload download.

This sequence outlines how SpiceRAT manages encrypted communications for credential exfiltration, plugin deployment, and operation confirmation with its C2 server.

Model: gemini-2.0-flash

Phase: Initial Access

• Technique: Spear Phishing with RAR Archive
• Procedure: The attacker sends spear-phishing emails containing a RAR archive as an attachment.
• Tools: RAR

Phase: Execution

• Technique: LNK File Execution

• Procedure: The user is tricked into opening a malicious LNK file (masquerading as a PDF document).

• Technique: Executing Malicious Launcher

• Procedure: The LNK file executes an embedded command to run a malicious launcher executable.

• Technique: HTA Execution

• Procedure: The user runs the malicious HTA file contained within a RAR archive.

• Technique: Decoding Base64

• Procedure: The HTA file's Visual Basic script decodes a base64-encoded downloader binary disguised as a text file using certutil.

• Command: certutil -decode %temp%\\Microsoft.txt %temp%\\Microsoft.exe

• Technique: Scheduled Task Creation (for Persistence)

• Command: schtasks /create /tn MicrosoftEdgeUpdateTaskMachineCISAN /tr %temp%\\Microsoft.exe /sc minute -mo 5/F

• Command: schtasks /create /tn MicrosoftDeviceSync /tr C:\\ProgramData\\Chrome\\ChromeDirver.exe /sc minute -mo 10 /F

• Technique: Scheduled Task Deletion

• Command: schtasks /delete /f /tn MicrosoftDefenderUpdateTaskMachineCISAN

• Technique: File Deletion

• Command: del /f /q %temp%\\Microsoft.txt %temp%\\Microsoft.hta

• Technique: Executing Downloaded Program

• Procedure: After running on the victim's machine, the program downloads a malicious archive file.

Phase: Persistence

• Technique: Scheduled Task Creation (for Persistence with SpiceRAT)
• Command: schtasks -CreAte -sC minute -mo 2 -tn "Microsoft Update" -tr "C:\Users\<User>\AppData\Local\data\dxcap.exe"

Phase: Privilege Escalation/Defense Evasion/Execution

• Technique: Disabling Security Tools/Indicators
• Procedure: After establishing persistence, the script deletes the previously created MicrosoftDefenderUpdateTaskMachineCISAN schtask and other related files to remove traces and further persist.

Phase: Credential Access

• Technique: Loading Encrypted Data
• Procedure: Executing functions within "ssMUIDLL.dll" to read encoded data (encrypted SpiceRAT)

Phase: Discovery/Reconnaissance

• Technique: System Information Gathering
• Procedure: Collecting operating system version number, hostname, username, IP address, and network card hardware address.
• Procedure: Encrypting and storing collected information in memory.

Phase: Command and Control (C2)

• Technique: WININET API Usage
• Procedure: Loading WININET.dll and importing function addresses to prepare for C2 communication.
• Technique: HTTP POST
• Procedure: Sending encrypted reconnaissance data to the C2 URL via HTTP POST method.
• Procedure: Receiving encrypted messages enclosed in HTML tags from the C2 server.
• Procedure: Executing decrypted DLL from the C2 server for further actions.

Phase: Execution (Plugin)

• Technique: Arbitrary Command Execution
• Procedure: Using RunPE function (likely based on WinExec API) to execute arbitrary commands received from the C2 server.

Model: gemini-2.5-flash-preview-05-20

Phase: Initial Access

• Technique: Phishing via Malicious Archives
  • Procedure: The threat actor sends spear-phishing emails containing malicious RAR file attachments.
  • Procedure: These emails are designed to deliver malware, using lures from a news agency to entice victims.
  • Procedure: Initial attack vectors identified are Windows shortcut (.LNK) and HTML Application (.HTA) files within the RAR archives.

Phase: Execution (LNK-based Infection Chain)

• Technique: User Execution: Malicious Shortcut File
  • Procedure: The victim extracts the RAR file, which drops a malicious Windows shortcut (.LNK) and a hidden folder on their machine.
  • Procedure: When the victim opens the shortcut file (masquerading as a PDF document), it executes an embedded command.
  • Command (Inferred): explorer.exe "...\LaunchWlnApp.exe" (Executes a malicious launcher executable from the dropped hidden folder).
• Technique: Signed Binary Proxy Execution / API Usage
  • Procedure: A malicious launcher executable (e.g., LaunchWlnApp.exe) is launched.
  • Tool/API: The launcher uses the ShellExecuteW API to read environment variables, determine execution paths, and run other components.
  • Procedure: The launcher simultaneously opens a decoy PDF document and runs a legitimate executable (e.g., dxcap.exe).
• Technique: DLL Sideloading
  • Procedure: The legitimate executable is abused to sideload a malicious DLL loader (e.g., ssMUIDLL.dll).
  • Procedure: The malicious DLL loader executes its exported function (e.g., GetFullLangFileNameW2).
• Technique: Reflective DLL Loading / Process Injection
  • Procedure: The malicious DLL loader loads the encrypted SpiceRAT payload into memory.
  • Procedure: The SpiceRAT payload is decrypted in memory using RC4 encryption.
  • Procedure: The loader DLL injects and runs the decrypted SpiceRAT from memory into its parent process (e.g., dxcap.exe).

Phase: Execution (HTA-based Infection Chain)

• Technique: User Execution: Malicious HTA File
  • Procedure: The victim runs a malicious HTA file delivered within a RAR archive.
  • Procedure: The embedded malicious Visual Basic script within the HTA executes.
  • Procedure: The script drops a base64-encoded downloader binary (e.g., Microsoft.txt) into the victim's user profile temporary folder.
• Technique: Command and Scripting Interpreter: Windows Command Shell / Utility Execution
  • Procedure: The HTA script then drops and executes a Windows batch file (e.g., Microsoft.bat) in the victim's user profile temporary folder.
  • Command: certutil -decode %temp%\\Microsoft.txt %temp%\\Microsoft.exe (Decodes the base64-encoded downloader binary).
• Technique: Download
  • Procedure: The malicious downloader executable (e.g., Microsoft.exe), executed via a scheduled task, downloads a malicious archive file (e.g., chromeupdate.zip) from an attacker-controlled server.
  • Procedure: The downloaded archive's contents (SpiceRAT components) are unpacked into a specified folder (e.g., C:\ProgramData\Chrome).
• Technique: DLL Sideloading
  • Procedure: A legitimate executable (e.g., ChromeDriver.exe), which is part of the unpacked SpiceRAT components, is used to sideload a malicious DLL loader.
• Technique: Reflective DLL Loading / Process Injection
  • Procedure: The malicious DLL loader loads the encrypted SpiceRAT payload into memory.
  • Procedure: The SpiceRAT payload is decrypted in memory using RC4 encryption.
  • Procedure: The loader DLL injects and runs the decrypted SpiceRAT from memory into its parent process.

Phase: Persistence

• Technique: Scheduled Task
  • Procedure: The malicious batch script creates a Windows scheduled task for persistence.
  • Command: schtasks /create /tn MicrosoftEdgeUpdateTaskMachineClSAN /tr %temp%\\Microsoft.exe /sc minute -mo 5 /F (Configures the downloader executable to run every five minutes).
  • Command: schtasks /create /tn MicrosoftDeviceSync /tr C:\\ProgramData\\Chrome\\ChromeDirver.exe /sc minute -mo 10 /F (Configures a downloaded legitimate executable to run every ten minutes).
  • Procedure: The malicious DLL loader creates a Windows task named "Microsoft Update" to maintain resilience.
  • Command: schtasks -CreAte -sC minute -mo 2 -tn "Microsoft Update" -tr "C:\Users\<User>\AppData\Local\data\dxcap.exe" (Configures dxcap.exe to run every two minutes).

Phase: Defense Evasion

• Technique: File Deletion / Indicator Removal
  • Procedure: The malicious batch script deletes infection markers after establishing persistence.
  • Command: schtasks /delete /f /tn MicrosoftDefenderUpdateTaskMachineClSAN (Deletes a previously created scheduled task).
  • Command: del /f /q %temp%\\Microsoft.txt %temp%\\Microsoft.hta (Deletes the base64-encoded downloader and the malicious HTA file).
  • Command: del %0 (Deletes the batch file itself).
• Technique: Obfuscated Files or Information / Masquerading
  • Procedure: The encrypted SpiceRAT payload masquerades as a legitimate Windows help file (e.g., .HLP).
  • Procedure: The downloader binary is disguised as a text file (e.g., Microsoft.txt).
  • Procedure: The malicious DLL loader masquerades as a legitimate DLL (e.g., ssMUIDLL.dll).
• Technique: Virtualization/Sandbox Evasion: Environmental Keying
  • Procedure: The loader DLL queries its process information using NtQueryInformationProcess to detect if it is running in a debugging environment.
• Technique: Mutex Creation
  • Procedure: SpiceRAT creates a mutex as an infection marker on the victim machine to ensure only a single instance of the RAT is running.

Phase: Discovery / Collection

• Technique: System Information Discovery
  • Procedure: SpiceRAT collects reconnaissance data from the victim's machine.
  • Data collected: Operating system version number, hostname, and username.
• Technique: Network Information Discovery
  • Procedure: SpiceRAT collects the victim's IP address and system's network card hardware address (MAC address).
• Technique: Data Encoding / Data Encrypted
  • Procedure: The collected reconnaissance data is encrypted.
  • Procedure: The encrypted reconnaissance data is stored in the machine's memory.

Phase: Command and Control

• Technique: Application Layer Protocol: Web Protocols (HTTP POST)
  • Procedure: SpiceRAT loads WININET.dll and imports addresses of its functions to prepare for C2 communication.
  • Procedure: SpiceRAT communicates with the C2 server using the HTTP POST method via the WinHttpPostShare function.
  • Procedure: Encrypted reconnaissance data and user credentials are sent from memory to the C2 server.
  • Procedure: The C2 server responds with encrypted messages embedded within HTML tags.
  • Procedure: The communication utilizes a unique three-byte prefix for its initial requests and responses.
• Technique: Custom Cryptographic Protocol
  • Procedure: Communication between SpiceRAT and its C2 server involves encrypted data streams.

Phase: Capabilities / Impact

• Technique: Dynamic-link Library Capabilities (Plugin Framework)
  • Procedure: The C2 server sends an encrypted stream of binary data.
  • Procedure: SpiceRAT decrypts this binary stream into a DLL file in memory, which functions as a plugin (e.g., Moudle.dll).
  • Export Functions: The plugin has Download and RunPE export functions, enabling further malicious activities.
• Technique: Ingress Tool Transfer (via Plugin)
  • Procedure: The Download function of the plugin accesses decrypted response data from the C2 server (stored in memory) and writes it to a file on disk, likely as commanded by the C2.
• Technique: Execution (via Plugin)
  • Procedure: The RunPE function of the plugin executes arbitrary commands or binaries.
  • Tool/API: The RunPE function utilizes the WinExec API for execution.