European Government Agencies Targeted In SmugX Campaign

New research from security firm Check Point shows Chinese Threat Actors actively targeting European government agencies with a focus on embassies and foreign affairs ministries in a campaign used to distribute SmugX.

European Government Agencies Targeted In SmugX Campaign

Researchers believe this is a part of a larger trend in Chinese threat actor actions, that being a shift to targeting European entities with a focus on their foreign policy.

The subsequent report published by Check Point noted that central to the attacks on European agencies was the technique used by the threat actors in targeting these agencies.

Known as HTML Smuggling, which is hiding malicious files within HTML documents. This is possible as HTML allows storing large binary objects, simply called JavaScript blobs, which malicious actors can use to initiate downloads.

In the campaign discovered by Check Point researchers, the attack chain went as follows:

  1. The embedded payload within the code is decoded and saved to a JavaScript blob, specifying the appropriate file type, such as application/zip.
  2. Instead of utilizing the HTML   element, the JavaScript code dynamically creates it.
  3. A URL object is created from the blob using the createObjectURL function.
  4. The download attribute is set with the desired filename.
  5. Finally, the code invokes the click action, which simulates a user clicking on the link and initiates the file download.
  6. For older browser versions, the code employs msSaveOrOpenBlob to save the blob with the desired filename.

The attack campaign, which started in December 2022, was seen attacking embassies and foreign affairs ministries in the UK, France, Sweden, Ukraine, Czech, Hungary, and Slovakia.

Phishing lures tend to be created around European domestic and foreign policies, adding the necessary layer of legitimacy to get officials to interact with them and open themselves up to possible infection.

Much of the operation’s aims are centered around reconnaissance, with researchers stating,

During our research, we came across a document named China Tries to Block Prominent Uyghur Speaker at UN.docx, which was uploaded to VirusTotal. This document employs remote image technique to access the URL hxxps://www.jcswcd[.]com/?wd=cqyahznz, containing a single pixel image which is not apparent to the user. This technique, called pixel tracking, is commonly used as a reconnaissance tool. As the remote image is requested, the attackers’ server logs the request, capturing information such as the IP address, user agent, and sometimes the time of access. By analyzing the collected data, the attackers can gather information about the recipient’s behavior, such as when and where the document was accessed.

PlugX Malware and Attack Chain

The ultimate malware payload to be dropped on victim machines is PlugX RAT. However, researchers noted two distinct attack chains were used to deliver the malware.

Both of these start with HTML smuggling, as mentioned above, but the second stage differs in that one chain uses a Zip file, while the other uses a JavaScript file.

The attack chain involving the zip file will attempt to retrieve another zip file, once executed, that will contain the necessary files to install PlugX. At the same time, the JavaScript attack chain will download an MSI file that, when executed, will ultimately drop the PlugX malware.

PlugX has been used by various Chinese state-sponsored groups since 2008. It operates as a remote access tool (RAT), and employs a modular structure that enables it to accommodate diverse plugins with distinct functionalities.

This enables the attackers to carry out various malicious activities on compromised systems, including file theft, screen captures, keystroke logging, and command execution.

Recently, PlugX has been deployed in RedDelta and Mustang Panda campaigns. When looking to attribute this campaign, Check Point researchers noted that the infrastructure used had several similarities to previous Mustang Panda and RedDelta campaigns, including similarities involving certificates and IP addresses.

Significant similarities also exist in the targets of the campaign. That said, researchers could not prove any absolute links concerning this campaign, tracked as SmugX, to previous campaigns attributed to RedDelta and Mustang Panda.

Researchers also noted similarities to another campaign being tracked as Camaro Dragon, but again definitive proof needs to be uncovered before any attribution claim linking the two campaigns is made.

Researchers concluded,

...we analyzed a recent campaign which correlates to RedDelta activities, and overlaps to some degree with Mustang Panda, highlighting their persistent targeting of European government entities. We identified multiple infection chains that employ the HTML Smuggling technique which leads to the deployment of the PlugX payload. The campaign, called SmugX, is part of a larger trend we’re seeing of Chinese threat actors shifting their focus to Europe.

Further noting,

While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while. As for PlugX, it also remained largely unchanged from previous appearances, although one new aspect observed is the adoption of RC4 encryption of the payload, which is a departure from the previously utilized XOR encryption.

While techniques observed in the SmugX campaign are not new, the low detection rates show they are still effective. That PlugX has remained largely unchanged over previous iterations suggests that these tactics are still effective in the reconnaissance work Chinese state-sponsored groups are tasked with.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal