Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
Chinese Hackers Are Using HTML Smuggling to Target Europe
Hackers Deploy Updated PlugX Malware Variant to Target Foreign Affairs MinistriesA Chinese nation-state group is hacking foreign affairs ministries and embassies across Europe, employing a sophisticated HTML-smuggling technique to deliver the insidious PlugX remote access Trojan to compromised systems. This hacking technique underlies a targeted and covert cyber assault, raising concerns about the security of diplomatic institutions and their sensitive information.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Researchers at Check Point Research observed SmugX, new variant of PlugX, which has been active since at least December 2022, in an ongoing campaign. They found overlapping similarities with a previously reported campaign attributed to RedDelta and Mustang Panda.
"Combined with other Chinese activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift to targeting European entities, with a focus on their foreign policy," the researchers said.
HTML smuggling enables attackers to hide malicious payloads inside HTML documents. In the latest campaign, HTML smuggling is used to download either a JavaScript or a ZIP file.
Opening the malicious HTML documents results in a chain of events that embeds a payload within the code, decodes it and saves it to a JavaScript blob, specifying the appropriate file type, such as application or ZIP.
The JavaScript code creates the HTML element [<]a[>]
, the blob uses the createObjectURL
function to create a URL object, and the download attribute is set with the desired filename, the researchers said.
The majority of the phishing content contained diplomatic-related topics. In more than one case, the content was directly related to China. The lure articles included an article about two Chinese human rights lawyers being sentenced to more than a decade in prison, a letter originating from the Serbian Embassy in Budapest, and a document stating the priorities of the Swedish presidency of the Council of the European Union.
Researchers observed two main infection chains that originate from an HTML file that saves the second stage to the download folder.
One chain of attacks uses a deceptive approach by embedding a LNK file within a ZIP file. The second chain employs JavaScript to retrieve an MSI file from a remote server.
The PowerShell then runs the hijacked software, triggering the execution of the PlugX payload. The malware enables the attackers to carry out a range of malicious activities on compromised systems, including file theft, screen captures, keystroke logging and command execution.