Introduction

Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on SOGU, a backdoor written in C.

Description

SOGU is a backdoor written in C that supports commands to exfiltrate files, keylogging, remote command shell, upload/download files and is able to extend its functionality with additional plugins. The backdoor has existed since at least 2008 and is still under continuous development that new variants are constantly being discovered.

Sogu malware propagates via infected USB storage devices, posing a significant threat even to computers isolated from networks. These compromised drives frequently circulate through shared computing environments like internet cafés, creating high-risk transmission zones. Upon connection, the infected drive automatically deploys the malware to the target system, circumventing conventional network security protections. This attack vector is particularly effective because it exploits users’ confidence in USB drives as reliable, network-independent data transfer tools.

As an advanced threat, after infection,  Sogu establishes connections with a command-and-control server for data extraction, enabling attackers to evaluate numerous compromised systems and identify valuable targets. This functionality allows UNC53 to sustain extended intelligence-gathering operations while minimizing detection risks. The malware’s persistent data exfiltration capabilities and remote system control make it particularly effective for cyber intelligence collection, especially in areas with less sophisticated cybersecurity defenses.

Malware Type: 

Backdoor

Operating System: 

Windows

Aliases:  

ChChes, DestroyRAT, Doplugs, FastDropper, FastLoader, Kaba, Korplug, PlugX,  Royal Road, Sogu.

Confirmed Targeted Industries: 

Civil Society & Non-Profits, Aerospace & Defense, Agriculture, Automotive, Chemicals & Materials, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government, Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Media & Entertainment, Oil & Gas, Pharmaceuticals, Retail, Technology, Telecomminocations, and Transportation.

Associated Threat Actors: 

APT1, APT10, APT15, APT17, APT18, APT20, APT21, APT22, APT26, APT27, APT3, APT31, APT4, APT40, APT41, APT9, Bolo Team, Conference Crew, Conimes Team, TEMP.Avengers, TEMP.DragonOk, TEMP.Hex, TEMP.Trident, UNC124, UNC147, UNC2603, UNC215, UNC228, UNC2286, UNC230, UNC251, UNC262, UNC28, UNC3569, UNC3658, UNC3808, UNC467, UNC551, UNC581, UNC94

Associated Malware: 

ANTILORE, BASSLINE, BEACON, CASUMARZU, CHIPSEAL, COOKBOOK, CUCKOOEGG, FAKEMILL, FIREPIT, FLOWERPOT, Gh0st, GLASSFLAW, GOLDENBOOK, GOOGONE, HIGHNOON, HOMEUNIX, LIGHTHAND, LUMMAC.V2, MONOPOD, OTTERCON, PHOTO, PISCES, POISONIVY, RATTRAP, ROCKBOOT, SAWDRAIN, SIDESTEP, SMALLPLATE, SOGU.SEC, SOURDROP, SWETSNACK, TATER, TIGERPLUS, TINYSHOT, WASHBOARD, WETFOSSIL, WHEELWELL, XDOOR, ZXSHELL.

Associated Vulnerabilities: 

CVE-2004-0320, CVE-2010-2883, CVE-2011-0611, CVE-2011-2462, CVE-2012-0158, CVE-2012-2539, CVE-2012-4792, CVE-2013-0422, CVE-2014-1761, CVE-2015-1641, CVE-2015-5119, CVE-2015-5122, CVE-2017-0199, CVE-2017-11882, CVE-2017-8570, CVE-2018-0802.

Find the full list of IOCs here:

Security Recommendations

To combat the ever-growing threats posed by USB-based malware attacks CcHUB recommends that organizations;

• Implement a Removable Device Policy
• Encrypt sensitive data
• Conduct regular audits of their information systems
• Conduct regular employee awareness training

To read more about how you or your organization can detect SOGU, kindly read the Google Cloud Community article here.
If you also suspect a security breach of some sort, reach out to us on our helpdesk (help@cchub.africa)