A recently discovered campaign to deploy PlugX malware into diplomatic organizations in Europe is believed to be part of a wider move by threat actors tied to China to shift their focus to European targets.
Researchers at Check Point Research (CPR) have been tracking the PlugX campaign for the past two months and say it has targeted embassies and foreign affairs ministries in several European countries.
“This specific campaign has been active since at least December 2022, and is likely a direct continuation of a previously reported campaign attributed to RedDelta (and also to Mustang Panda, to some extent),” CPR researchers said in a July 3 report.
There is a degree of crossover between RedDelta and Mustang Panda, two Chinese state-sponsored advanced persistent threat (APT) groups, both known for their focus on espionage.
In its report, CPR said the recently discovered campaign used new delivery methods – most notably, HTML smuggling – to deploy a new variant of PlugX, a commonly used remote access tool (RAT) of Chinese origin. They are tracking the campaign as SmugX.
“Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until recently helped the campaign fly under the radar,” the researchers said.
What is HTML smuggling?
HTML smuggling involves malicious files being embedded into HTML documents, allowing them to evade network-based detection methods. HTML smuggling isn't new, however adversaries have relied on it more since Microsoft has shut down other popular ways to sneak malware onto systems, such as blocking macros by default in Word documents.
"HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code," wrote researchers at Trustwave in a blog posted earlier this year.
"The data blob, or the embedded payload, gets decoded into a file object when opened via a web browser. Threat actors take advantage of the versatility of HTML in combination with social engineering to lure the user into saving and opening the malicious payload," it wrote.
How European government entities were targeted
In the SmugX campaign, which is known to have targeted diplomatic entities in the UK, France, Sweden, Ukraine, Czech, Hungary, and Slovakia, the lure documents contained diplomacy-related content. Examples included a letter from the Serbian embassy in Budapest and an invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs.
The threat actors used HTML smuggling to facilitate the downloading of either a JavaScript or ZIP file onto a compromised system. When a ZIP archive is used by the threat actors, it contains a malicious LNK file that runs PowerShell. When a JavaScript file is used, it downloads and executes an MSI file from the attackers’ server.
“As observed in past instances, PlugX malware employs DLL sideloading techniques,” the CPR researchers wrote. “After the lnk or MSI file drops the necessary files, it triggers the execution of a legitimate program, which in turn loads the malicious DLL.”
The DLL then decrypts the final payload, the PlugX malware, which can be used to carry out a range of malicious activities on compromised systems, including file exfiltration, screen capturing, keystroke logging, and command execution.
As a means of ensuring persistence, a hijacked legitimate executable is also downloaded during the infection process. The PlugX payload copies the legitimate program and the DLL, which are stored within a newly-created hidden directory. Persistence is achieved by adding the legitimate program to the Run registry key.
Similarities with Malicious USB campaign
“Combined with other Chinese activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift to targeting European entities, with a focus on their foreign policy,” the researchers said.
Last month, CPR reported on a new variant of a self-propagating malware being spread via USB drives by a China state-backed APT group it was tracking as Camaro Dragon.
In their latest report, the researchers said while Camaro Dragon’s activity overlapped with Mustang Panda and RedDelta, there was insufficient evidence to link the new PlugX campaign directly to Camaro Dragon. Because of that, they had decided to track the new campaign as SmugX.
“While none of the techniques observed in [the SmugX] campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while,” the researchers said.
“As for PlugX, it also remained largely unchanged from previous appearances, although one new aspect observed is the adoption of RC4 encryption of the payload, which is a departure from the previously utilized XOR encryption.”