Chinese Hackers Launch SmugX Malware Campaign against European Diplomats

SmugX malware campaign
Check Point analysts have discovered a SmugX malware campaign that is linked to the activities of Chinese hack groups Mustang Panda and RedDelta. In these attacks, the attackers use HTML smuggling to hide malicious payloads in encoded strings of HTML documents.

The attacks, which began in December 2022, target embassies and foreign ministries in the UK, France, Sweden, Ukraine, the Czech Republic, Hungary and Slovakia.

SmugX malware campaign
SmugX attack map

Recall that we also talked about how Chinese state hackers carefully collect and analyze vulnerabilities to use them for cyber espionage, and there is already a list of bugs that Chinese hackers use most often.

Information security specialists also recently shared a wild story about how Chinese hackers accidentally infected a European hospital.

This time the hackers are basing their spy campaign on phishing emails, which are accompanied by decoy documents, usually devoted to European domestic and foreign policy.

SmugX malware campaign
Bait Documents

The HTML smuggling technique involves using legitimate HTML5 and JavaScript functions to build and run malware that is hidden in decoy documents attached to phishing emails.

The researchers identified two infection chains, both of which use HTML smuggling to hide payloads in documents. So, in one of the options, a ZIP archive with a malicious LNK file, which launches PowerShell and extracts the archive, saving its contents in the Windows temporary folder, is attached to the letters.

SmugX malware campaign
HTML smuggling

This archive contains three files, one of which is a legitimate executable (robotaskbaricon.exe or passwordgenerator.exe) from an older version of the RoboForm password manager. It allows loading DLL files that are not related to the application, that is, to carry out DLL sideloading.

The other two files are a malicious DLL (Roboform.dll) that is loaded using one of the mentioned legitimate EXE files, and a data.dat file containing the PlugX remote access trojan (RAT) that is launched via PowerShell.

In the second case, HTML smuggling is used to load a JavaScript file that executes an MSI file obtained from the attackers’ remote C&C server. This MSI file creates a new folder in the %appdata%\Local directory and stores three files there: a legitimate executable, a loader DLL, and an encrypted PlugX payload (data.dat).

Again, the legitimate program is launched and the PlugX malware is loaded into memory via DLL sideloading, which helps hackers avoid detection.

To gain a foothold in the system, the malware creates a hidden directory in which it stores legitimate EXE and malicious DLL files, and also adds the program to the Run section in the registry.

SmugX malware campaign
Attack options

The researchers note that once PlugX is installed and running on a victim’s computer, it can download and open a distracting PDF file so as not to arouse the user’s suspicions.

Analysts also say that while studying this campaign, they seem to have attracted the attention of hackers.

During the study of samples, the attackers sent a batch script from the C&C server designed to destroy any traces of their activity. This script, named del_RoboTask Update.bat, destroys the legitimate executable, the PlugX loader DLL, and the registry key created to keep it present on the system. Ultimately, he deletes himself. This is probably the result of the attackers noticing that they are under scrutiny.the company says.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Volodymyr Krasnogolovy

I'm a journalist, cybersecurity specialist, content manager, copywriter, and photojournalist. With a deep passion for cybersecurity and a diverse skill set, I'm excited to share my expertise through this blog. From researching the latest threats to crafting engaging narratives and capturing powerful visuals, I strive to provide valuable insights and raise awareness about the importance of cybersecurity.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.