Posted on July 5, 2023 at 10:14 AM

Chinese Sponsored Hackers Use HTML Smuggling To Conduct Attacks

A threat actor group based in China has been observed to be targeting Foreign Affairs ministries and embassies across Europe. The hacker group is using HTML smuggling techniques to deliver the PlugX remote access trojan on the compromised systems.

Chinese hackers deploy HTML smuggling

A report by the Check Point cybersecurity company referred to the activity being conducted by the Chinese state-sponsored hacker group as SmugX. The Check Point researchers said that the hacking activity has been going on since at least December last year.

The researchers at Check Point said that this activity was part of a larger trend conducted by Chinese advisories that are shifting their focus to the European continent. The researchers have also said that this hacking campaign has deployed new delivery methods to deploy a new malware variant that is known as PlugX.

According to the researchers, “the campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors.”

The researchers have also said that this payload has remained similar to the one that has been seen in the older variants of the PlugX malware. The delivery methods that were employed by the malware led to low detection rates. The low rate of detection has enabled this malware to go undetected for a long time.

The identity of the threat actor behind this malicious campaign has not been released. However, the existing clues left in this hacking exploit point to the likelihood of the campaign being conducted by Mustang Panda. This hacker group shares some overlaps with other clusters that were tracked as Earth Preta, RedDelta, and Camaro Dragon.

According to the company, there was no sufficient evidence at the time to attribute the Mustang Panda hacker group to the adversarial collective. The latest attack sequence deployed by the hackers has made use of HTML Smuggling, indicating that the hackers might have a high level of sophistication.

HTLM Smuggling is a hacking technique that allows threat actors to remain undetected. In this technique, the legitimate HTML and JavaScript features are exploited and used to deploy malware within the decoy documents. Such documents are sent to the intended victims through spear-phishing emails.

The HTML smuggling technique has piqued the interest of cybersecurity researchers. A report that was published by Trustwave earlier this year said that the technique involves HTML 5 features that can operate offline by storing a binary within an immutable blob of data that exists within the JavaScript code.

The researchers at Trustwave also said that the data blob, which is also known as the embedded payload, will be decoded with a file object once it has been opened through the web browser.

Hackers  targeted diplomats and government entities

The VirusTotal malware database also contained an upload of the documents that were analyzed. The conducted analysis has also revealed that the documents that were analyzed have been designed to target government institutions and to target diplomats.

The entities that were targeted were from the governments of Czechia, France, Hungary, Slovakia, Sweden, Ukraine, and the UK. In one of the instances, the hacker is believed to have used an Uyghur-themed lure. The lure had the title “China Tries to Block Uyghur Speaker at UN.docx.”

Once this lure has been opened, it will reach out to an external server through an embedded and invisible tracking pixel to exfiltrate the reconnaissance data. The infection process comes in multiple stages, and it will utilize the DLL side-loading techniques to decrypt and release the final payload known as PlugX, which will later compromise the intended victim.

The PlugX malware is also known as Korplug. The malware has a rich history, given that it dates back to 2008. Korplug is a modular trojan with the ability to accommodate a wide range of plugins while serving multiple functionalities. The operators are enabled to steal files, take screenshots, command execution, and keystroke logging.

The researchers at Check Point said that during the time that they were conducting their investigations on the obtained samples, the hacker released a batch script that was sent from the C&C server. The script is aimed at getting rid of any traces of the activities of these hackers.

The script in question is known as del_RoboTask Update.bat, and it is used to get rid of the legitimate executable, PlugX loader DLL, and the registry key that has been put in place for persistence. It will later delete itself. It has not been revealed whether the move is a result of the hackers knowing that they are being monitored.