HTML Smuggling is a new threat to European cybersecurity

An unknown hacker group suspected of links to the Chinese Communist Party attacked foreign ministries and embassies in Europe using HTML Smuggling to deliver a trojan Plug X on infected systems. About it reported cyber security company check point, which named this operation SmugX. According to the researchers, the malicious campaign has been ongoing since December 2022.

“The campaign uses new delivery methods for PlugX, a spyware that is often associated with various Chinese threats,” Check Point said in a report.

“Although the payload itself remains similar to that of older versions of PlugX, its delivery methods provide a low level of detection, which, until recently, helped the campaign go unnoticed,” the experts added.

Which group is responsible for this operation is not yet clear for sure, but the evidence points to the Mustang Panda group, which also has intersections with other threat clusters known as Earth Preta, RedDelta and Camaro Dragon according to the Check Point classification. The researchers also said that there is currently “insufficient evidence” to definitively attribute this hacker collective.

The latest attack in the SmugX campaign is notable for using HTML Smuggling, a clever technique in which cybercriminals abuse legitimate HTML5 features and JavaScript to build and run malware in deceptive documents attached to phishing emails.

“HTML Smuggling uses HTML5 attributes that can work offline by storing the binary in an immutable block of data inside the JavaScript code. Block or embedded payload data is decoded into a file object when opened through a web browser,” noted trustwave in February of this year.

Analysis of documents that have been uploaded to the malware database VirusTotalshows that they are designed to attack diplomats and state structures in the Czech Republic, Hungary, Slovakia, Great Britain, and also probably France and Sweden.

Multi-stage infection process uses a familiar method DLL Sideloading to decrypt and run the final payload – PlugX.

PlugX, on the other hand, is a spyware that appeared back in 2008 and is a modular trojan capable of supporting “a variety of plug-ins with different functionality”, allowing its operators to steal files, capture the screen, log keystrokes and execute commands. .

“During our sample investigation, the attacker sent a batch script received from C2 serversdesigned to erase any traces of its activities, ”Check Point said.

“This script, named destroys the legitimate executable, the PlugX loader DLL, and the registry key used for saving, and then deletes itself. This is probably the result of the attackers realizing that they are under scrutiny, ”the researchers concluded.