Check Point Research tracks a Chinese threat actor targeting European government ministries and embassies, using HTML Smuggling to deploy a PlugX variant across Eastern Europe. The SmugX operation overlaps with RedDelta and Mustang Panda, employs two infection chains, and leverages RC4 encryption and DLL side-loading to maintain persistence and control. #SmugX #PlugX #RedDelta #MustangPanda #CamaroDragon
Keypoints
- A Chinese threat actor is targeting European government entities, with a focus on foreign policy ministries and embassies.
- HTML Smuggling hides malicious payloads inside HTML documents to evade network detection.
- Two infection chains exist: one uses a ZIP containing an LNK file that triggers PowerShell to load PlugX; the other downloads an MSI via JavaScript.
- PlugX is the main implant, using DLL sideloading and RC4 encryption for payload delivery and execution.
- Lures and targets are diplomacy-themed (e.g., embassy letters, EU Presidency priorities) and align with Eastern European government interests.
- The campaign overlaps with RedDelta and Mustang Panda; links to Camaro Dragon are not yet proven.
MITRE Techniques
- [T1204] User Execution – The HTML Smuggling chain invokes a simulated click to initiate the file download. ‘The code invokes the click action, which simulates a user clicking on the link, and initiates the file download.’
- [T1059.001] PowerShell – The PowerShell process continues to run the hijacked software, triggering the PlugX payload execution. ‘The PowerShell then continues to run the hijacked software, triggering the execution of the PlugX payload stored in data.dat.’
- [T1574.002] DLL Side-Loading – PlugX uses DLL sideloading to load the malicious DLL after dropping legitimate components. ‘PlugX malware employs DLL sideloading techniques.’
- [T1547.001] Run Keys/Startup Folder – Persistence via the Run registry key. ‘The malware achieves persistence by adding the legitimate program to the Run registry key.’
- [T1105] Ingress Tool Transfer – The second chain downloads an MSI file from a remote server. ‘downloads and executes an MSI file from the attackers’ server.’
- [T1071.001] Web Protocols – C2 communications with the attacker’s infrastructure. ‘C&C (Command and Control) server’ is referenced in payload configuration and communication context.
- [T1027] Obfuscated/Encrypted Files and Information – RC4 encryption increasingly used for payload/config. ‘the increasing use of the RC4 encryption method compared to the simple XOR decryption we have seen in the past.’
Indicators of Compromise
- [IP] Infrastructure / C2 – 62.233.57.136, 45.134.83.29, and 2 more IPs
- [Domain] Domains – jcswcd.com, newsmailnet.com
- [Hash] HTML – edb5d4b454b6c7d3abecd6de7099e05575b8f28bb09dfc364e45ce8c16a34fcd, 736451c2593bc1601c52b45c16ad8fd1aec56f868eb3bba333183723dea805af
- [Hash] Archives – 5f751fb287db51f79bb6df2e330a53b6d80ef3d2af93f09bb786b62e613514db, baca1159acc715545a787d522950117eae5b7dc65efacfe86383f62e6b9b59d3
- [Hash] JavaScripts – 3c6ace055527877778d989f469a5a70eb5ef7700375b850f0b1b8414151105ee, 27a61653ce4e503334413cf80809647ce5dca02ff4aea63fb3a39bc62c9c258c
- [Hash] MSI – fd0711a50c8af1dbc5c7ba42b894b2af8a2b03dd7544d20f5a887c93b9834429, 3489955d23e66d6f34b3ada70b4d228547dbb3ccb0f6c7282553cbbdeaf168cb
- [Hash] RoboForm.dll – b00c252a60171f33e32e64891ffe826b8a45f8816acf778838d788897213a405, 2bc30ced135acd6a506cfb557734407f21b70fecd2f645c5b938e14199b24f1e
- [Hash] Encrypted payload – 62c2e246855d589eb1ec37a9f3bcc0b6f3ba9946532aff8a39a4dc9d3a93f42c, f7d35cb95256513c07c262d4b03603e073e58eb4cd5fa9aac1e04ecc6e870d42
- [Hash] Decrypted payload – 8ea34b85dd4fb64f7e6591e4f1c24763fc3421caa7c0f0d8350c67b9bafa4d32, 8cac6dfb2a894ff3f530c29e79dcd37810b4628279b9570a34f7e22bd4d416b3
- [Path] Paths – C:UsersPublicVirtualFile, C:UsersPublicSamsungDriver
Read more: https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/