Chinas Mustang Panda Linked to SmugX Attacks on European Governments

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinas Mustang Panda Linked to SmugX Attacks on European Governments


Attackers use HTML smuggling to spread the PlugX RAT in the campaign, which has been ongoing since at least December.



A Chinese threat group has adopted a sneak HTML technique long-used by its counterparts to target European policy-makers, in a campaign aimed at spreading the PlugX remote access Trojan (RAT).
Over the course of the last two months, Check Point Research (CPR) analysts have been tracking the activity, which theyve dubbed SmugX because it uses an attack vector called HTML Smuggling — a technique for planting malicious payloads inside HTML documents, the researchers
revealed
in a report published earlier this week.
The campaign has been ongoing since at least December and appears to have a direct link to a previously reported campaign attributed to Chinese APT
RedDelta
, as well as the work of Chinese APT
Mustang Panda
 (aka Camaro Dragon or
Bronze President
), although there is insufficient evidence to definitively link SmugX to either group, according to the research.
Moreover, while Check Point separates Mustang Panda and Camaro Dragon into two separate entities, other researchers refer to the two as one and the same; RedDelta, meanwhile, appears to have links to both groups, according to Check Point researchers.
SmugX represents a shift in targeting for Chinese threat actors, which in the past have primarily focused on
Russia
, Asia, and the
US
in their threat campaigns, they added. However,
a recent campaign
linked to Mustang Panda to use USB drives to spread self-propagating espionage malware already indicated that these groups already engaged in threat activity in Europe as part of their global intent.
SmugX targets mainly governmental ministries in Eastern European countries — including Ukraine, the Czech Republic, Slovakia, and Hungary — as well as in Sweden, France, and the UK. Document lures used to dupe victims focus on European domestic and foreign policies, typically impersonating key agencies in the respective country to appear authentic.
SmugX uses as its malware-delivery mechanism HTML documents that contain diplomatic-related content. In more than one case, this content is directly related to China — including an article about two Chinese human rights lawyers sentenced to more than a decade in prison.
Other documents used in the campaign are a letter originating from the Serbian embassy in Budapest; a document stating the priorities of the Swedish Presidency of the Council of the European Union; an invitation to a diplomatic conference issued by Hungarys Ministry of Foreign Affairs.
The malware is embedded within these HTML documents, which allows them to evade network-based detection measures, according to the research.
Opening one of the malicious HTML documents results in the decoding of a JavaScript that includes the embedded payload — which in this case is PlugX, a RAT that has been used by Chinese threat actors since 2008. This sets off a chain of events that eventually leads to the deployment of the RAT, which employs a modular structure that accommodates several diverse plugins with distinct functionalities.
This enables the attackers to carry out a range of malicious activities on compromised systems, including file theft, screen captures, keystroke logging, and command execution, according to the report.
The PlugX payload ensures its persistence in a process that first copies the legitimate program and the DLL and then stores them within a hidden directory it creates, with the encrypted payload stored in a separate hidden folder. The malware then adds the legitimate program to the Run registry key.
Though neither the techniques nor the malware used in the campaign are new, SmugX does present a challenge for targeted organizations because of how it combines different tactics and its likelihood of not easily being detected. This allows threat actors to stay under the radar for quite a while, according to Check Point.
To help organizations identify if theyve been compromised, the report includes an extensive list of indicators of compromise (IoCs) that span HTML addresses, archives, JavaScript snippets, encrypted payload files, IPs and domains, and more.
Employees should always be wary of clicking on unknown links or files when using a corporate network, and check with IT departments before downloading anything new from the Internet. Moreover, a comprehensive combination of threat emulation and endpoint detection strategies also can defend against attacks such as SmugX, according to Check Point.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinas Mustang Panda Linked to SmugX Attacks on European Governments