A wave of attacks is targeting European entities, especially those focused on foreign policy, using the HTML Smuggling attack technique. Check Point Research has been tracking the campaign, called SmugX, which is active since December 2022.
More in detail
Based on the analysis, the campaign is likely an extension of a prior campaign carried out by RedDelta and Mustang Panda threat groups.
- The campaign used the HTML Smuggling attack technique to deploy a new variant of PlugX, an implant most commonly used by Chinese threat actors.
- The latest variant is found to have adopted the RC4 encryption strategy to evade detection and establish persistence.
- It is distributed via archives or MSI files embedded within HTML documents, which enabled the attackers to evade network-based detection measures.
- A majority of documents contained diplomatic-related content originating from the Serbian embassy in Budapest, the Swedish Presidency, or Hungary’s Ministry of Foreign Affairs. In more than one case, the content was directly related to China.
Attribution
The campaign overlaps with the activity of RedDelta and Mustang Panda based on a distinctive certificate on the C2 server with the IP addresses associated with threat actors. The researchers also cited that the victimology and lures used in the attacks matched the threat group.
Besides this, Red Delta and Mustang Panda have previously been associated with attacks deploying PlugX RAT. In December 2022, Mustang Panda took advantage of the Ukraine-Russia war to deploy the PlugX malware across Europe and the Asia Pacific. During the same month, Red Delta was also connected with a campaign targeting European government organizations with a variant of PlugX RAT.
Conclusion
Chinese groups have persistently been targeting European government entities and have become part of a larger trend now. Organizations are advised to use the IOCs associated with the campaign to understand the attack pattern and implement effective security measures to detect and remediate unusual activities at the initial stage.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/da1c_shutterstock_1919503355.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_541428433.jpg)
