A Chinese threat group has recently been targeting European policy-makers using a sneaky HTML technique called HTML Smuggling to spread the PlugX remote access Trojan (RAT), according to Check Point Research (CPR) analysts. This campaign, named SmugX, has been ongoing for at least two months and appears to have a connection to a previously reported campaign conducted by a Chinese Advanced Persistent Threat (APT) group known as RedDelta, as well as the work of another Chinese APT group called Mustang Panda (also known as Camaro Dragon or Bronze President). However, there is not enough evidence to definitively link SmugX to either group.
The SmugX campaign represents a shift in targeting for Chinese threat actors, as they have typically focused on Russia, Asia, and the US in their previous attacks. However, a recent campaign linked to Mustang Panda indicated that these groups have already engaged in threat activity in Europe. SmugX mainly targets governmental ministries in Eastern European countries such as Ukraine, the Czech Republic, Slovakia, and Hungary, as well as in Sweden, France, and the UK. The malware is delivered through HTML documents that contain diplomatic-related content. These documents impersonate key agencies in the respective European countries to appear legitimate.
The malware is embedded within these HTML documents, which allows it to bypass network-based detection measures. When one of the malicious HTML documents is opened, a JavaScript is decoded, revealing the embedded payload, which is the PlugX RAT. This RAT has been used by Chinese threat actors since 2008 and allows them to carry out various malicious activities on compromised systems, including file theft, screen captures, keystroke logging, and command execution.
To ensure persistence, the PlugX payload copies the legitimate program and DLL, stores them in a hidden directory, and adds the legitimate program to the Run registry key. This makes it difficult for organizations to detect and remove the malware.
While the techniques and malware used in the SmugX campaign are not new, it poses a challenge for targeted organizations due to the combination of different tactics and its ability to go undetected. To help organizations identify if they have been compromised, Check Point includes a list of indicators of compromise (IoCs) in their report.
Organizations can take several defensive measures to protect against PlugX and similar RATs. Employees should be cautious when clicking on unknown links or files while using a corporate network and should consult with IT departments before downloading anything new from the Internet. A comprehensive strategy that combines threat emulation and endpoint detection can also help defend against attacks like SmugX.
In conclusion, Chinese threat actors have targeted European policy-makers using an HTML smuggling technique known as SmugX. This campaign, which has been ongoing for two months, utilizes HTML documents containing diplomatic-related content to deliver the PlugX RAT. While this represents a shift in targeting for Chinese threat actors, it is not entirely new, as previous campaigns by Chinese APT groups have also targeted Europe. Organizations can protect themselves by being vigilant and implementing comprehensive security measures.