Chinese Hackers Are Using HTML Smuggling to Target EuropeHackers Deploy Updated PlugX Malware Variant to Target Foreign Affairs Ministries
A Chinese nation-state group is hacking foreign affairs ministries and embassies across Europe, employing a sophisticated HTML-smuggling technique to deliver the insidious PlugX remote access Trojan to compromised systems. This hacking technique underlies a targeted and covert cyber assault, raising concerns about the security of diplomatic institutions and their sensitive information.
Researchers at Check Point Research observed SmugX, new variant of PlugX, which has been active since at least December 2022, in an ongoing campaign. They found overlapping similarities with a previously reported campaign attributed to RedDelta and Mustang Panda.
"Combined with other Chinese activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift to targeting European entities, with a focus on their foreign policy," the researchers said.
[<]a[>], the blob uses the
createObjectURL function to create a URL object, and the download attribute is set with the desired filename, the researchers said.
The majority of the phishing content contained diplomatic-related topics. In more than one case, the content was directly related to China. The lure articles included an article about two Chinese human rights lawyers being sentenced to more than a decade in prison, a letter originating from the Serbian Embassy in Budapest, and a document stating the priorities of the Swedish presidency of the Council of the European Union.
Researchers observed two main infection chains that originate from an HTML file that saves the second stage to the download folder.
The PowerShell then runs the hijacked software, triggering the execution of the PlugX payload. The malware enables the attackers to carry out a range of malicious activities on compromised systems, including file theft, screen captures, keystroke logging and command execution.