A Chinese threat actor has been targeting European Foreign Affairs ministries and embassies in a series of cyber attacks, according to Check Point Research (CPR). The attacks, which started in December 2022, are believed to be an extension of the previously disclosed RedDelta campaign. CPR has identified a broader trend of Chinese activity targeting European entities and their foreign policy.
One of the techniques used by the threat actors is HTML Smuggling. This technique involves using HTML to deliver JavaScript or ZIP file downloads. The lure themes primarily target governmental ministries in Eastern Europe, with a focus on European domestic and foreign policies. The attackers used various documents with diplomatic content, some of which were directly linked to China. These documents included a letter from the Serbian embassy in Budapest, a document stating the priorities of the Swedish Presidency of the Council of the European Union, an invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs, and an article about two Chinese human rights lawyers sentenced to prison.
A document called “China Tries to Block Prominent Uyghur Speaker at UN.docx” was discovered by security analysts during their analysis. It was uploaded to VirusTotal and contained a remote image technique to access a specific URL. This technique, known as Pixel tracking, logs information such as IP address, user-agent, and access time when the attackers’ server receives a request for the remote image.
There are two infection chains in this campaign. One chain deploys a malicious LNK file inside a ZIP file, while the other chain employs JavaScript to fetch an MSI file from a remote server. The final payload in these infection chains is the PlugX malware, which has been used by Chinese threat actors since 2008. PlugX is a remote access tool (RAT) with a modular structure for flexible plugin integration. To maintain persistence, the PlugX payload duplicates and hides both the legitimate program and DLL in a newly created hidden directory.
Although the individual techniques used in this campaign are not new, the combination of tactics and infection chains with low detection rates allowed the threat actors to remain undetected for an extended period of time. The use of HTML Smuggling, along with the specific targeting of European entities, shows the evolving tactics and motivations of cybercriminals.
It is crucial for organizations and governments to stay vigilant and implement robust cybersecurity measures to protect against such threats. AI-based email security measures can play a vital role in detecting and preventing email threats. Businesses can request a free demo to explore how these measures can protect their sensitive information and mitigate cyber risks.