Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX
A Chinese nation-state group has been observed targeting the Ministry of Foreign Affairs and embassies in Europe using HTML-smuggling techniques to deliver PlugX remote access trojans on compromised systems.
Cybersecurity firm Check Point said the activity, dubbed Proudhas been going on since at least December 2022.
“This campaign uses a new delivery method to deploy (notably – HTML Smuggler) a new variant of PlugX, an implant commonly associated with various Chinese threat actors,” Check Point said.
“While the payload itself remains similar to that found on older PlugX variants, the method of delivery resulted in low detection rates, which until now helped the campaign fly under the radar.”
The exact identity of the threat actor behind this operation is somewhat hazy, although the existing clues point towards Mustang Panda, which also shares overlap with tracked clusters as Earth Preta, RedDelta, and Check Point’s Camaro Dragon designation.
However, the company says there is “insufficient evidence” at this stage to conclusively link it to a collective adversary.
The latest attack sequence is very important to use HTML smuggling – a stealth technique whereby legitimate HTML5 and JavaScript features are abused to assemble and launch malware – in a decoy document attached to a spear-phishing email.
“HTML smuggling uses HTML5 attributes that work offline by storing binaries in immutable data blobs in JavaScript code,” Trustwave noted early this February. “The blob data, or embedded payload, is rendered into a file object when opened through a web browser.”
Analysis of the document, which was uploaded to the VirusTotal malware database, reveals that it was designed to target diplomats and government entities in Czech, Hungary, Slovakia, Britain, Ukraine, and possibly France and Sweden as well.
In one instance, the threat actor is said to have used a Uyghur-themed lure (“China Tries to Block Notable Uyghur Speaker in UN.docx”) which, when opened, beacons external servers via embedded tracking and invisible pixels to extract reconnaissance data. .
The multi-stage infection process uses the DLL side-loading method to decrypt and launch the final payload, PlugX.
Also called Korplug, the malware dates back to 2008 and is a modular trojan capable of accommodating “multiple plug-ins with different functions” that allow operators to perform file stealing, screen capture, keystroke logging, and command execution.
“While we were investigating the samples, the threat actor submitted a batch script, sent from the C&C servers, which purported to erase traces of their activity,” Check Point said.
“This script, named del_RoboTask Update.bat, removes legitimate executables, PlugX loader DLLs, and implemented registry keys for persistence, and eventually removes itself. This is likely the result of threat actors realizing they are under surveillance.”
