News

Chinese hackers use HTML smuggling to attack European diplomats

Security Parrot Editorial Team

SmugX Malware Campaign Linked to Chinese Hack Groups Discovered by Check Point Analysts

Check Point analysts have discovered a SmugX malware campaign that is linked to the activities of Chinese hack groups Mustang Panda and RedDelta. In these attacks, the attackers use HTML smuggling to hide malicious payloads in encoded strings of HTML documents.
The attacks, which began in December 2022, target embassies and foreign ministries in the UK, France, Sweden, Ukraine, the Czech Republic, Hungary and Slovakia.

Phishing Emails with Decoy Documents

The hackers base their spying campaign on phishing emails accompanied by decoy documents, usually on European domestic and foreign policy.

HTML Smuggling Technique

The HTML smuggling technique involves using legitimate HTML5 and JavaScript functions to build and run malware that is hidden in decoy documents attached to phishing emails.
The researchers identified two infection chains, both of which use HTML smuggling to hide payloads in documents. So, in one of the variants, a ZIP archive with a malicious LNK file is attached to the letters, which launches PowerShell and extracts the archive, saving its contents in the Windows temporary folder.
This archive contains three files, one of which is a legitimate executable (robotaskbaricon.exe or passwordgenerator.exe) from an older version of the RoboForm password manager. It allows for loading DLL files that are not related to the application, that is, to carry out DLL sideloading.
The other two files are a malicious DLL (Roboform.dll) that is loaded using one of the mentioned legitimate EXE files, and a data.dat file containing the PlugX remote access trojan (RAT) that is launched via PowerShell.
In the second case, HTML smuggling is used to load a JavaScript file that executes an MSI file obtained from the attackers’ remote C&C server. This MSI file creates a new folder in the %appdata%\Local directory and stores three files there: a legitimate executable, a DLL loader, and an encrypted PlugX payload (da ta.dat).
Again, the legitimate program is launched and the PlugX malware is loaded into memory via DLL sideloading, which helps hackers avoid detection.
To gain a foothold in the system, the malware creates a hidden directory in which it stores legitimate EXE and malicious DLL files, and also adds the program to the Run section in the registry.
The researchers note that once PlugX is installed and running on a victim’s computer, it can download and open a distracting PDF file so as not to arouse the user’s suspicions.
Analysts also say that while studying this campaign, they seem to have attracted the attention of hackers.

SmugX Malware Campaign Linked to Chinese Hack Groups Discovered by Check Point Analysts

Check Point analysts have discovered a SmugX malware campaign that is linked to the activities of Chinese hack groups Mustang Panda and RedDelta. The campaign, which began in December 2022, targets embassies and foreign ministries in the UK, France, Sweden, Ukraine, the Czech Republic, Hungary and Slovakia.

HTML Smuggling Technique Used to Hide Payloads

The hackers use HTML smuggling to hide malicious payloads in encoded strings of HTML documents. This technique involves using legitimate HTML5 and JavaScript functions to build and run malware that is hidden in decoy documents attached to phishing emails.
The researchers identified two infection chains, both of which use HTML smuggling to hide payloads in documents. In one of the variants, a ZIP archive with a malicious LNK file is attached to the letters, which launches PowerShell and extracts the archive, saving its contents in the Windows temporary folder.
This archive contains three files, one of which is a legitimate executable (robotaskbaricon.exe or passwordgenerator.exe) from an older version of the RoboForm password manager. It allows for loading DLL files that are not related to the application, that is, to carry out DLL sideloading.
The other two files are a malicious DLL (Roboform.dll) that is loaded using one of the mentioned legitimate EXE files, and a data.dat file containing the PlugX remote access trojan (RAT) that is launched via PowerShell.
In the second case, HTML smuggling is used to load a JavaScript file that executes an MSI file obtained from the attackers’ remote C&C server. This MSI file creates a new folder in the %appdata%\Local directory and stores three files there: a legitimate executable, a DLL loader, and an encrypted PlugX payload (da ta.dat).
Again, the legitimate program is launched and the PlugX malware is loaded into memory via DLL sideloading, which helps hackers avoid detection.

Gaining a Foothold in the System

To gain a foothold in the system, the malware creates a hidden directory in which it stores legitimate EXE and malicious DLL files, and also adds the program to the Run section in the registry.
The researchers note that once PlugX is installed and running on a victim’s computer, it can download and open a distracting PDF file so as not to arouse the user’s suspicions.
Analysts also say that while studying this campaign, they seem to have attracted the attention of hackers.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?