The cyber-security world is shaken by a recent discovery. Chinese nation-state groups have used clever HTML smuggling tactics, targeting European Foreign Affairs ministries and embassies. Their goal: to plant the dangerous PlugX remote access trojan on compromised systems.
An intriguing new method
This activity, coined SmugX, has reportedly been ongoing since December 2022. The hackers use innovative delivery methods to deploy the trojan, according to Check Point, a well-known cybersecurity firm. “Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates, which until recently helped the campaign fly under the radar,” they noted.
There’s a hint that the infamous Mustang Panda could be the group behind this operation. Still, Check Point cautioned that there’s “insufficient evidence” at this point to decisively attribute it to this adversarial collective.
HTML Smuggling explained
The latest attack sequence is notable due to its usage of HTML Smuggling, a technique where legitimate HTML5 and JavaScript features are manipulated to assemble and launch the malware. This technique is used in the decoy documents attached to spear-phishing emails.
In simple terms, HTML smuggling stores a binary in an immutable blob of data within JavaScript code. Trustwave, another cybersecurity firm, pointed out that this data blob gets decoded into a file object when opened via a web browser.
Who is at risk?
Analysts have examined documents uploaded to the VirusTotal malware database, which reveal the hackers are focusing on diplomats and government entities in multiple European countries. Nations under threat include Czechia, Hungary, Slovakia, the U.K., Ukraine, and possibly France and Sweden.
The world of cybersecurity
One instance of attack reported involved the use of an Uyghur-themed lure that, when opened, connected to an external server to exfiltrate reconnaissance data. The hackers deploy a multi-stage infection process that uses DLL side-loading methods to decrypt and launch the final payload, PlugX.
PlugX, or Korplug, is a modular trojan dating back to 2008. It accommodates diverse plugins that allow the operators to carry out file theft, screen captures, keystroke logging, and command execution.
Our readers, what are your thoughts on this new form of cyber attack? Do you believe that greater measures need to be implemented to combat these threats? Please share your thoughts with us in the comments section below!