Malicious campaigns by Chinese threat actors have been observed targeting European government agencies, particularly foreign and domestic policy organizations.
Dubbed “SmugX” and discovered by Check Point Research (CPR), the campaign uses HTML smuggling, a technique of hiding malicious payloads within HTML documents to evade network-based detection methods. I’m here.
This attack has been observed since at least December 2022 and relies on a new delivery method deploying a variant of PlugX, an implant commonly used in association with various Chinese threat actors. .
Read more about PlugX: Black Basta introduces PlugX malware to USB devices with new technique
In an advisory published earlier today, CPR said the use of HTML smuggling and other delivery techniques led to low detection rates, which until recently has kept this campaign under the radar.
The campaign’s compelling themes revolve primarily around European domestic and foreign policy, and targets include mainly Eastern European government ministries. Documents used as decoys often contain China-related content, such as diplomatic materials.
Two main infection chains have been observed in this campaign. In one scenario, an HTML file smuggled a ZIP archive containing a malicious LNK file, and in another, a JavaScript file downloaded and executed her MSI file from the attacker’s server. Both chains ultimately led to the deployment of the PlugX malware.
According to CPR, the SmugX campaign shows similarities to previous activity by Chinese APT actors RedDelta and Mustang Panda.
Additionally, although there is a correlation between the SmugX campaign and the Camaro Dragon group’s activities, there is insufficient evidence to directly link them at this time.
“None of the techniques observed in this campaign were new or unique, but the combination of different tactics and different infection chains that resulted in low detection rates kept the attackers from being noticed for quite some time. We were able to prevent it from happening,” said CPR. he wrote
CPR added that the appearance of SmugX highlights a broader pattern observed among Chinese threat actors.
“campaign […] This is part of a larger trend we are seeing of Chinese threat actors shifting their focus to Europe. “
The cardiopulmonary resuscitation advisory comes weeks after China banned products sold by US chipmaker Micron, citing cybersecurity concerns.
