Scroll Top

Chinese hackers employ HTML smuggling to target European Ministries with PlugX Trojan

file (1)

Chinese state-sponsored hackers have recently been identified conducting a sophisticated cyber espionage campaign targeting Foreign Affairs ministries and embassies across Europe. The operation, named SmugX, utilizes HTML smuggling techniques to deliver the notorious PlugX remote access trojan, according to cybersecurity firm Check Point.

Since December 2022, this campaign has been ongoing, with the threat actors leveraging HTML smuggling, a stealthy method that exploits legitimate HTML5 and JavaScript features to assemble and launch the malware. By employing these innovative delivery techniques, the attackers have managed to evade detection, remaining under the radar until now.

Although the exact identity of the threat actor remains uncertain, the evidence points towards Mustang Panda, a Chinese hacking group with connections to Earth Preta, RedDelta, and Check Point’s own designation, Camaro Dragon. However, conclusive attribution is yet to be established.

Of particular significance is the use of HTML smuggling in the decoy documents attached to spear-phishing emails. HTML smuggling leverages HTML5 attributes that can function offline by storing binary data within JavaScript code. This data blob, or embedded payload, is decoded into a file object when opened via a web browser, enabling the malware to be executed discreetly.

Analysis of the malicious documents, uploaded to the VirusTotal malware database, indicates that they are tailored to target diplomats and government entities in Czechia, Hungary, Slovakia, the U.K., Ukraine, and possibly France and Sweden. In one instance, the threat actor employed a lure titled “China Tries to Block Prominent Uyghur Speaker at UN.docx,” exploiting an Uyghur-themed topic. Opening the document triggers a beaconing process to an external server, facilitating the exfiltration of reconnaissance data through an embedded, invisible tracking pixel.

The infection process involves multiple stages and utilizes DLL side-loading techniques to decrypt and launch the final payload, PlugX. Also known as Korplug, this modular trojan has been active since 2008 and supports diverse plugins that enable various malicious activities, including file theft, screen captures, keystroke logging, and command execution.

During their investigation, Check Point discovered that the threat actors deployed a batch script, named del_RoboTask Update.bat, to eliminate any traces of their activities. This script deletes the legitimate executable, the PlugX loader DLL, and the registry key used for persistence before ultimately removing itself. It appears that the threat actors became aware of the scrutiny they were under and took measures to cover their tracks.

The cyber espionage campaign carried out by these Chinese hackers highlights the evolving tactics and techniques employed by state-sponsored threat actors. European ministries and embassies, especially those in the targeted countries, should remain vigilant and enhance their cybersecurity defenses to mitigate the risk of falling victim to such advanced attacks.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.