A hacker group with suspected relations to the Communist Party of China has launched attacks on the Ministry of Foreign Affairs and the Embassy in Europe. These attacks utilized the HTML Smuggling technique to deliver the Trojan Plugx to infected systems.
The cyber security team at Check Point reported on the SMUGX operation, stating that the campaign has been ongoing since December 2022. The experts noted that the campaign employs new delivery methods for the Plugx spy program, which is commonly associated with Chinese threats. These delivery methods have allowed the campaign to remain undetected for a significant period of time.
While the specific group responsible for the operation is still unclear, evidence points to the involvement of the Mustang Panda group. This group has connections to other threat clusters, including Earth Preta, Reddelta, and Camaro Dragon. However, Check Point researchers have stated that there is currently no definitive evidence to attribute this hacker team conclusively.
In the latest attack of the SMUGX campaign, the perpetrators made use of HTML Smuggling, a sophisticated technique that utilizes the legitimate capabilities of HTML5 and JavaScript to assemble and launch malicious documents attached to phishing emails. By exploiting HTML5 attributes, a binary file can be stored within JavaScript code and decoded into a file object when opened in a web browser. This technique allows cybercriminals to bypass detection measures.
An analysis of the documents loaded into the Virustotal malware database indicates that they are targeted at diplomats and state structures in the Czech Republic, Hungary, Slovakia, Great Britain, and possibly France and Sweden.
The infection process in this campaign utilizes the familiar DLL Sideloading method to decrypt and launch the final payload, which is the Plugx spy program. Plugx is a modular trojan that first appeared in 2008. It supports a variety of plugins with different functionalities, enabling operators to steal files, capture screenshots, record keystrokes, and execute commands.
During the investigation of the samples, Check Point discovered a script sent by the attacker from the C2 server. This script is designed to erase any traces of the attacker’s activity. It deletes the legitimate executable file, the plugx DLL loader, and the registry key used for persistence before deleting itself. This action suggests that the attackers are aware of increased attention and are taking steps to cover their tracks.