Sogu

Malware updated a year ago (2024-11-29T14:22:01.690Z)

Download STIX

Preview STIX

SOGU is a malicious software (malware) attributed to TEMP.Hex, a threat actor linked to China. The malware is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. SOGU has been associated with various other malware including SHOTPUT, COOKIECUTTER, PANDORA, ZXSHELL, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, TEMPFUN, Gh0st, TRAVELNET, HOMEUNIX, and ZEROTWO. The primary infection vector of the SOGU malware is through an infected USB drive. However, it also uses phishing emails as its initial compromise method. These emails, often generic in nature and appearing to be spam, are used by APT3, another threat actor. APT27 and APT21, on the other hand, use spear phishing as their initial compromise method, leveraging email messages with malicious attachments, links to malicious files, or web pages. SOGU loaders have been identified in several instances (#9214, #9215) being delivered via email as compressed attachments. In terms of technical execution, the SOGU loader is written to disk (#9210), then moves into a pre-execution phase (#9211). It is then transferred over HTTP/S (#9212, #9213). SafeBreach provides coverage of the SOGU malware, offering insights into its operation and potential countermeasures. Understanding this malware and its attack vectors is crucial in developing effective defenses and response strategies.

Description last updated: 2024-05-04T17:43:12.346Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Korplug is a possible alias for Sogu. Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Mandiant

Loader

Espionage

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The PlugX Malware is associated with Sogu. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2

Source Document References

Information about the Sogu Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	16 days ago	Chinese-Linked Hackers Exploit Windows Flaw to Spy on EU Diplomats
CERT-EU	2 years ago	NoEscape Ransomware, AvosLocker Ransomware, Retch Ransomware, S-H-O Ransomware and More: Hacker’s Playbook Threat Coverage Round-up: October 31st, 2023
MITRE	3 years ago	Threat Spotlight: Group 72
BankInfoSecurity	2 years ago	Breach Roundup: IT Worker Sentenced for Impersonation
DARKReading	2 years ago	Sogu, SnowyDrive Malware Spreads, USB-Based Cyberattacks Surge
CERT-EU	2 years ago	The Shocking Data on Kia and Hyundai Thefts in the US
CERT-EU	2 years ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
MITRE	3 years ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups
CERT-EU	2 years ago	Cyber Security Today, July 17, 2023 – USB-based attacks rising, attacks on AWS increasing and more \| IT World Canada News
CERT-EU	2 years ago	Sharp Increase in Malware Attacks via USB Flash Drives \| IT Security News
CERT-EU	2 years ago	Hackers Leverage USB Flash Drives to Attack Public and Private Sectors Globally
CERT-EU	2 years ago	Malicious USB Drives Targetinging Global Targets with SOGU and SNOWYDRIVE Malware \| IT Security News
MITRE	3 years ago	APT10 MenuPass Group \| Global Targeting Using New Tools