Check Point analysts have discovered a SmugX malware campaign that is linked to the activities of Chinese hack groups Mustang Panda and RedDelta. In these attacks, the attackers use HTML smuggling to hide malicious payloads in encoded strings of HTML documents.
The attacks, which began in December 2022, target embassies and foreign ministries in the UK, France, Sweden, Ukraine, the Czech Republic, Hungary and Slovakia.
SmugX attack map
Recall that we also talked about how Chinese state hackers carefully collect and analyze vulnerabilities to use them for cyber espionage, and there is already a list of bugs that Chinese hackers use most often.
Information security specialists also recently shared a wild story about how Chinese hackers accidentally infected a European hospital.
This time the hackers are basing their spy campaign on phishing emails, which are accompanied by decoy documents, usually devoted to European domestic and foreign policy.
Bait Documents
The HTML smuggling technique involves using legitimate HTML5 and JavaScript functions to build and run malware that is hidden in decoy documents attached to phishing emails.
The researchers identified two infection chains, both of which use HTML smuggling to hide payloads in documents. So, in one of the options, a ZIP archive with a malicious LNK file, which launches PowerShell and extracts the archive, saving its contents in the Windows temporary folder, is attached to the letters.
HTML smuggling
This archive contains three files, one of which is a legitimate executable (robotaskbaricon.exe or passwordgenerator.exe) from an older version of the RoboForm password manager. It allows loading DLL files that are not related to the application, that is, to carry out DLL sideloading.
The other two files are a malicious DLL (Roboform.dll) that is loaded using one of the mentioned legitimate EXE files, and a data.dat file containing the PlugX remote access trojan (RAT) that is launched via PowerShell.
In the second case, HTML smuggling is used to load a JavaScript file that executes an MSI file obtained from the attackers’ remote C&C server. This MSI file creates a new folder in the %appdata%\Local directory and stores three files there: a legitimate executable, a loader DLL, and an encrypted PlugX payload (data.dat).
Again, the legitimate program is launched and the PlugX malware is loaded into memory via DLL sideloading, which helps hackers avoid detection.
To gain a foothold in the system, the malware creates a hidden directory in which it stores legitimate EXE and malicious DLL files, and also adds the program to the Run section in the registry.
Attack options
The researchers note that once PlugX is installed and running on a victim’s computer, it can download and open a distracting PDF file so as not to arouse the user’s suspicions.
Analysts also say that while studying this campaign, they seem to have attracted the attention of hackers.
