New research from security firm Check Point shows Chinese Threat Actors actively targeting European government agencies with a focus on embassies and foreign affairs ministries in a campaign used to distribute SmugX.
Researchers believe this is a part of a larger trend in Chinese threat actor actions, that being a shift to targeting European entities with a focus on their foreign policy.
The subsequent report published by Check Point noted that central to the attacks on European agencies was the technique used by the threat actors in targeting these agencies.
In the campaign discovered by Check Point researchers, the attack chain went as follows:
- A URL object is created from the blob using the createObjectURL function.
- The download attribute is set with the desired filename.
- Finally, the code invokes the click action, which simulates a user clicking on the link and initiates the file download.
- For older browser versions, the code employs msSaveOrOpenBlob to save the blob with the desired filename.
The attack campaign, which started in December 2022, was seen attacking embassies and foreign affairs ministries in the UK, France, Sweden, Ukraine, Czech, Hungary, and Slovakia.
Phishing lures tend to be created around European domestic and foreign policies, adding the necessary layer of legitimacy to get officials to interact with them and open themselves up to possible infection.
Much of the operation’s aims are centered around reconnaissance, with researchers stating,
During our research, we came across a document named China Tries to Block Prominent Uyghur Speaker at UN.docx, which was uploaded to VirusTotal. This document employs remote image technique to access the URL hxxps://www.jcswcd[.]com/?wd=cqyahznz, containing a single pixel image which is not apparent to the user. This technique, called pixel tracking, is commonly used as a reconnaissance tool. As the remote image is requested, the attackers’ server logs the request, capturing information such as the IP address, user agent, and sometimes the time of access. By analyzing the collected data, the attackers can gather information about the recipient’s behavior, such as when and where the document was accessed.
PlugX Malware and Attack Chain
The ultimate malware payload to be dropped on victim machines is PlugX RAT. However, researchers noted two distinct attack chains were used to deliver the malware.
PlugX has been used by various Chinese state-sponsored groups since 2008. It operates as a remote access tool (RAT), and employs a modular structure that enables it to accommodate diverse plugins with distinct functionalities.
This enables the attackers to carry out various malicious activities on compromised systems, including file theft, screen captures, keystroke logging, and command execution.
Recently, PlugX has been deployed in RedDelta and Mustang Panda campaigns. When looking to attribute this campaign, Check Point researchers noted that the infrastructure used had several similarities to previous Mustang Panda and RedDelta campaigns, including similarities involving certificates and IP addresses.
Significant similarities also exist in the targets of the campaign. That said, researchers could not prove any absolute links concerning this campaign, tracked as SmugX, to previous campaigns attributed to RedDelta and Mustang Panda.
Researchers also noted similarities to another campaign being tracked as Camaro Dragon, but again definitive proof needs to be uncovered before any attribution claim linking the two campaigns is made.
...we analyzed a recent campaign which correlates to RedDelta activities, and overlaps to some degree with Mustang Panda, highlighting their persistent targeting of European government entities. We identified multiple infection chains that employ the HTML Smuggling technique which leads to the deployment of the PlugX payload. The campaign, called SmugX, is part of a larger trend we’re seeing of Chinese threat actors shifting their focus to Europe.
While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while. As for PlugX, it also remained largely unchanged from previous appearances, although one new aspect observed is the adoption of RC4 encryption of the payload, which is a departure from the previously utilized XOR encryption.
While techniques observed in the SmugX campaign are not new, the low detection rates show they are still effective. That PlugX has remained largely unchanged over previous iterations suggests that these tactics are still effective in the reconnaissance work Chinese state-sponsored groups are tasked with.