HTML Smuggling European Embassies Hacked
admin 7 months ago
admin #news

Chinese Hackers Attacking European Foreign Ministries And Embassies With HTML Smuggling

An unknown hacker group suspected of having links to the Chinese Communist Party attacked foreign ministries and embassies in Europe using HTML Smuggling techniques to deliver the PlugX Trojan to infected systems. This was reported by the cybersecurity company Check Point, which called operation SmugX. According to the researchers, the malicious campaign has been ongoing since December 2022.

"The campaign uses new delivery methods for PlugX, a spyware that is often associated with various Chinese threats," Check Point said in a report.


“Although the payload itself remains similar to that of older versions of PlugX, its delivery methods provide a low level of detection, which, until recently, helped the campaign go unnoticed,” the experts added.


Which group is responsible for this operation is not yet clear for sure, but the evidence points to the Mustang Panda group, which also has overlaps with other threat clusters known as Earth Preta, RedDelta and Camaro Dragon according to the Check Point classification. The researchers also said that there is currently "insufficient evidence" to definitively attribute this hacker collective.


The latest attack in the SmugX campaign is notable for using HTML Smuggling, a cunning technique in which cybercriminals abuse legitimate HTML5 and JavaScript capabilities to assemble and run malware in deceptive documents attached to phishing emails.


“HTML Smuggling uses HTML5 attributes that can work offline by storing the binary in an immutable block of data inside the JavaScript code. Block or embedded payload data is decoded into a file object when opened through a web browser,” Trustwave noted in February of this year.


An analysis of the documents that were uploaded to the VirusTotal malware database shows that they are designed to attack diplomats and government agencies in the Czech Republic, Hungary, Slovakia, the UK, and probably also France and Sweden.


The multi-stage infection process uses the already painfully familiar DLL Sideloading method to decrypt and launch the final payload, PlugX.


PlugX, on the other hand, is a spyware that appeared back in 2008 and is a modular Trojan capable of supporting “a variety of plug-ins with different functionality” that allows its operators to steal files, capture the screen, log keystrokes, and execute commands.


"During our study of the samples, the attacker sent a batch script received from the C2 server designed to erase any trace of his activity," Check Point said.


“This script destroys the legitimate executable, the PlugX loader DLL, and the registry key used for persistence, and then deletes itself. This is probably the result of the fact that the attackers realized that they were under scrutiny, ”the researchers concluded.


0
312
Malware Campaign Uncovered: Attackers Exploit YouTube to Distribute Aurora Infostealer

Malware Campaign Uncovered: Attackers Exploit YouTube to Distribute Au...

1673775682.png
admin
10 months ago
AhRat Android Trojan Infects 50,000 Smartphones via Google Play Store

AhRat Android Trojan Infects 50,000 Smartphones via Google Play Store

1673775682.png
admin
8 months ago
JanelaRAT: Remote Access Trojan - A Portuguese Malware

JanelaRAT: Remote Access Trojan - A Portuguese Malware

1673775682.png
admin
6 months ago
How Hackers Bypass Google Play Protect On Android

How Hackers Bypass Google Play Protect On Android

1673775682.png
admin
1 year ago
Bumblebee and IcedID Trojans Clash with PindOS: Unraveling the Tactics of Android Malware

Bumblebee and IcedID Trojans Clash with PindOS: Unraveling the Tactics...

1673775682.png
admin
7 months ago