Sogu

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
SOGU is a malicious software (malware) attributed to TEMP.Hex, a threat actor linked to China. The malware is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. SOGU has been associated with various other malware including SHOTPUT, COOKIECUTTER, PANDORA, ZXSHELL, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, TEMPFUN, Gh0st, TRAVELNET, HOMEUNIX, and ZEROTWO. The primary infection vector of the SOGU malware is through an infected USB drive. However, it also uses phishing emails as its initial compromise method. These emails, often generic in nature and appearing to be spam, are used by APT3, another threat actor. APT27 and APT21, on the other hand, use spear phishing as their initial compromise method, leveraging email messages with malicious attachments, links to malicious files, or web pages. SOGU loaders have been identified in several instances (#9214, #9215) being delivered via email as compressed attachments. In terms of technical execution, the SOGU loader is written to disk (#9210), then moves into a pre-execution phase (#9211). It is then transferred over HTTP/S (#9212, #9213). SafeBreach provides coverage of the SOGU malware, offering insights into its operation and potential countermeasures. Understanding this malware and its attack vectors is crucial in developing effective defenses and response strategies.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Korplug
3
Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
ZxShell
1
ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
SHOTPUT
1
Shotput is a sophisticated malware associated with Advanced Persistent Threat 3 (APT3), an infamous cyber-espionage group. The malware, also detected as Backdoor.APT.CookieCutter by FireEye, infiltrates systems through phishing emails that appear to be spam. The attack vector involves the use of a F
Beacon
1
The attack pattern "beacon" refers to a method used by attackers to maintain persistent access to a compromised system. In this case, the red team successfully installed a persistent beacon on Workstation 2 after one user triggered their payload. The attackers utilized an HTTPS Cobalt Strike Beacon,
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Loader
Mandiant
Payload
Espionage
Windows
Proxy
Phishing
Beacon
Lateral Move...
Fireeye
Implant
Exploit
Spam
Rat
Worm
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PlugXUnspecified
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT10Unspecified
1
APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
APT3Unspecified
1
APT3, also known as the UPS Team, is a highly sophisticated threat group suspected to be based in China and attributed to the Chinese Ministry of State Security (MSS) and Boyusec. This threat actor targets sectors including Aerospace and Defense, Construction and Engineering, High Tech, Telecommunic
APT31Unspecified
1
APT31, also known as Zirconium, is a threat actor group believed to be sponsored by the Chinese government. This group has been implicated in various cyber espionage activities across the globe. One of their notable exploits includes the cloning and use of an Equation Group exploit, EpMe (CVE-2017-0
APT27Unspecified
1
APT27, also known as Iron Taurus, is a Chinese threat actor group that primarily engages in cyber operations with the goal of intellectual property theft. The group targets multiple organizations worldwide, including those in North and South America, Europe, and the Middle East. APT27 utilizes vario
Mustang PandaUnspecified
1
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Sogu Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
NoEscape Ransomware, AvosLocker Ransomware, Retch Ransomware, S-H-O Ransomware and More: Hacker’s Playbook Threat Coverage Round-up: October 31st, 2023
MITRE
a year ago
Threat Spotlight: Group 72
BankInfoSecurity
a year ago
Breach Roundup: IT Worker Sentenced for Impersonation
DARKReading
a year ago
Sogu, SnowyDrive Malware Spreads, USB-Based Cyberattacks Surge
CERT-EU
10 months ago
The Shocking Data on Kia and Hyundai Thefts in the US
CERT-EU
10 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
CERT-EU
a year ago
Cyber Security Today, July 17, 2023 – USB-based attacks rising, attacks on AWS increasing and more | IT World Canada News
CERT-EU
a year ago
Sharp Increase in Malware Attacks via USB Flash Drives | IT Security News
CERT-EU
a year ago
Hackers Leverage USB Flash Drives to Attack Public and Private Sectors Globally
CERT-EU
a year ago
Malicious USB Drives Targetinging Global Targets with SOGU and SNOWYDRIVE Malware | IT Security News
MITRE
a year ago
APT10 MenuPass Group | Global Targeting Using New Tools