Posted on July 6, 2023 at 10:40 PM

Check Point Researchers Disclose A Hacking Campaign Targeting Key European Entities

Cybersecurity researchers at Check Point have detected a hacking campaign being conducted by a Chinese state-sponsored hacker group. The researchers published a report earlier this month saying that hackers based in China were increasingly launching hacking campaigns targeting Europe.

Chinese hackers launch hacking attacks in Europe

The report published by the Check Point researchers was released in July 3, 2023. This report noted that Chinese hackers are becoming more interested in launching hacking campaigns that target governments, embassies and foreign entities in Europe.

The majority of the hacking campaigns conducted by this group appear to be focused on Eastern Europe. The prime targets for these hackers appear to be Hungary, Slovakia and the Czech Republic.

The researchers behind the campaign have named it SmugX. Cybersecurity researchers have claimed that the hacking campaign has remained active since December last year. These researchers now claim that the campaign is an extension of another hacking campaign that was associated with Mustang Panda and the Red Delta hacker groups.

Both Mustanf Panda and RedDelta are hacker groups that have links to China. According to Check Point, the researchers noted that in the case of SmugX, the attackers were using HTML smuggling to target embassies across Europe. In this type of attack, the modular PlugX malware implant is smuggled or hidden within the HTML documents.

The threat actors that are behind this campaign use the HTML Smuggling technique to trick the web security systems. This allows them to avoid detection by antivirus systems and the security defenses that have been put in place.

HTML Smuggling is a technique that exploits HTML features to hide malicious data documents from automated content filters. It hides these details by making them a part of the JavaScript blobs that will reassemble on the targeted device.

PlugX is one of the most popular tools that are used for HTML smuggling. Multiple threat actors based in China have used this malware in the past. One of these threat actors is a group that targeted the Vatican in 2022 or another group that targeted the Indonesian Intelligence Service in 2021.

The malware in question was also used to conduct hacking campaigns against users across Ghana, Mongolia, New Guinea, Nigeria, Papua New Guide and Zimbabwe. These users were targeted by this hacker group in a USB drive-based hacking campaign.

Hacking campaign seeks to obtain sensitive data on foreign policies

The researchers at Check Point have also said that the main objective behind the exploit being conducted by SmugX was to secure sensitive information on the foreign policies of the countries that were targeted by such exploits.

The analysis conducted by the researchers on the matter is based on the samples that were posted on the VirusTotal malware repository. The files also contained names that were self-explanatory to indicate what is contained within.

The cybersecurity researchers said that the names used to label the files strongly suggested that the hackers wanted to target government agencies and diplomats. On the other hand, the content in question comprised content that had diplomatic ties to China. The hacking campaign also utilized several .docx and .pdf files, which also contained diplomatic content.

The researchers at Check Point have received a letter from the Serbian embassy in Budapest. The letter contained a document that revealed the priorities of the Swedish Presidency of the Council of the European Union. It also included an invitation to a diplomatic conference by the Hungarian foreign ministry.

The researchers also noted that there was an article about two Chinese human rights lawyers that received a sentence of ten years. The documents have been labeled using titles that are easy to understand. Each of these titles points to the content of the document and, in some cases, the date when a particular meeting or event happened.

The report noted that it is not the first time that such exploits have been reported because none of the techniques used was new or unique. The researchers said that the hackers had integrated multiple tactics to run their campaigns.

They also noted that the combination of various techniques to conduct these exploits led to low detection rates. It also allowed the hackers to stay under the radar without being detected by antivirus systems.

Check Point added that it was still conducting investigations related to this hacking activity. They were also monitoring the activities conducted by the SmugX hackers. It has said that once these investigations are complete, it will share new details.