Chinese Hackers Attacking European Foreign Ministries And Embassies With HTML Smuggling
An unknown hacker group suspected of having links to the Chinese Communist Party attacked foreign ministries and embassies in Europe using HTML Smuggling techniques to deliver the PlugX Trojan to infected systems. This was reported by the cybersecurity company Check Point, which called operation SmugX. According to the researchers, the malicious campaign has been ongoing since December 2022.
"The campaign uses new delivery methods for PlugX, a spyware that is often associated with various Chinese threats," Check Point said in a report.
“Although the payload itself remains similar to that of older versions of PlugX, its delivery methods provide a low level of detection, which, until recently, helped the campaign go unnoticed,” the experts added.
Which group is responsible for this operation is not yet clear for sure, but the evidence points to the Mustang Panda group, which also has overlaps with other threat clusters known as Earth Preta, RedDelta and Camaro Dragon according to the Check Point classification. The researchers also said that there is currently "insufficient evidence" to definitively attribute this hacker collective.
The latest attack in the SmugX campaign is notable for using HTML Smuggling, a cunning technique in which cybercriminals abuse legitimate HTML5 and JavaScript capabilities to assemble and run malware in deceptive documents attached to phishing emails.
“HTML Smuggling uses HTML5 attributes that can work offline by storing the binary in an immutable block of data inside the JavaScript code. Block or embedded payload data is decoded into a file object when opened through a web browser,” Trustwave noted in February of this year.
An analysis of the documents that were uploaded to the VirusTotal malware database shows that they are designed to attack diplomats and government agencies in the Czech Republic, Hungary, Slovakia, the UK, and probably also France and Sweden.
The multi-stage infection process uses the already painfully familiar DLL Sideloading method to decrypt and launch the final payload, PlugX.
PlugX, on the other hand, is a spyware that appeared back in 2008 and is a modular Trojan capable of supporting “a variety of plug-ins with different functionality” that allows its operators to steal files, capture the screen, log keystrokes, and execute commands.
"During our study of the samples, the attacker sent a batch script received from the C2 server designed to erase any trace of his activity," Check Point said.
“This script destroys the legitimate executable, the PlugX loader DLL, and the registry key used for persistence, and then deletes itself. This is probably the result of the fact that the attackers realized that they were under scrutiny, ”the researchers concluded.
