www.scmagazine.com
Open in
urlscan Pro
2606:4700:20::681a:c13
Public Scan
URL:
https://www.scmagazine.com/news/cybercrime/novel-plugx-malware-attacks-target-european-diplomats
Submission: On July 05 via api from TR — Scanned from DE
Submission: On July 05 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOM<form class="w-100" scmag-registration="set">
<div class="my-2 font-sans"><label class="visually-hidden form-label" for="email">Business Email</label><input placeholder="Business Email*" required="" type="email" id="email" class="fs-7 text-black p-3 form-control" value=""></div>
<div class="fs-9 my-4">
<p>By clicking the Subscribe button below, you agree to SC Media <a class="text-underline" href="/terms-and-conditions" data-feathr-click-track="true" data-feathr-link-aids="["60071024bdb3f8d0470da8d6"]">Terms and Conditions</a><span>
and </span><a class="text-underline" href="/privacy-policy" data-feathr-click-track="true" data-feathr-link-aids="["60071024bdb3f8d0470da8d6"]">Privacy Policy</a>.</p>
</div><button type="submit" class="btn btn-primary">Subscribe</button>
</form>
Text Content
Log inRegister Topics Events Podcasts Research Recognition Leadership About CRA ADVERTISEMENT Cybercrime, Vulnerability management NOVEL PLUGX MALWARE ATTACKS TARGET EUROPEAN DIPLOMATS Simon HenderyJuly 4, 2023 A recently discovered campaign to deploy PlugX malware into diplomatic organizations in Europe is believed to be part of a wider move by threat actors tied to China to shift their focus to European targets. Researchers at Check Point Research (CPR) have been tracking the PlugX campaign for the past two months and say it has targeted embassies and foreign affairs ministries in several European countries. “This specific campaign has been active since at least December 2022, and is likely a direct continuation of a previously reported campaign attributed to RedDelta (and also to Mustang Panda, to some extent),” CPR researchers said in a July 3 report. There is a degree of crossover between RedDelta and Mustang Panda, two Chinese state-sponsored advanced persistent threat (APT) groups, both known for their focus on espionage. ADVERTISEMENT In its report, CPR said the recently discovered campaign used new delivery methods – most notably, HTML smuggling – to deploy a new variant of PlugX, a commonly used remote access tool (RAT) of Chinese origin. They are tracking the campaign as SmugX. “Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until recently helped the campaign fly under the radar,” the researchers said. WHAT IS HTML SMUGGLING? HTML smuggling involves malicious files being embedded into HTML documents, allowing them to evade network-based detection methods. HTML smuggling isn't new, however adversaries have relied on it more since Microsoft has shut down other popular ways to sneak malware onto systems, such as blocking macros by default in Word documents. "HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code," wrote researchers at Trustwave in a blog posted earlier this year. "The data blob, or the embedded payload, gets decoded into a file object when opened via a web browser. Threat actors take advantage of the versatility of HTML in combination with social engineering to lure the user into saving and opening the malicious payload," it wrote. HOW EUROPEAN GOVERNMENT ENTITIES WERE TARGETED In the SmugX campaign, which is known to have targeted diplomatic entities in the UK, France, Sweden, Ukraine, Czech, Hungary, and Slovakia, the lure documents contained diplomacy-related content. Examples included a letter from the Serbian embassy in Budapest and an invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs. The threat actors used HTML smuggling to facilitate the downloading of either a JavaScript or ZIP file onto a compromised system. When a ZIP archive is used by the threat actors, it contains a malicious LNK file that runs PowerShell. When a JavaScript file is used, it downloads and executes an MSI file from the attackers’ server. “As observed in past instances, PlugX malware employs DLL sideloading techniques,” the CPR researchers wrote. “After the lnk or MSI file drops the necessary files, it triggers the execution of a legitimate program, which in turn loads the malicious DLL.” The DLL then decrypts the final payload, the PlugX malware, which can be used to carry out a range of malicious activities on compromised systems, including file exfiltration, screen capturing, keystroke logging, and command execution. As a means of ensuring persistence, a hijacked legitimate executable is also downloaded during the infection process. The PlugX payload copies the legitimate program and the DLL, which are stored within a newly-created hidden directory. Persistence is achieved by adding the legitimate program to the Run registry key. SIMILARITIES WITH MALICIOUS USB CAMPAIGN “Combined with other Chinese activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift to targeting European entities, with a focus on their foreign policy,” the researchers said. Last month, CPR reported on a new variant of a self-propagating malware being spread via USB drives by a China state-backed APT group it was tracking as Camaro Dragon. In their latest report, the researchers said while Camaro Dragon’s activity overlapped with Mustang Panda and RedDelta, there was insufficient evidence to link the new PlugX campaign directly to Camaro Dragon. Because of that, they had decided to track the new campaign as SmugX. “While none of the techniques observed in [the SmugX] campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while,” the researchers said. “As for PlugX, it also remained largely unchanged from previous appearances, although one new aspect observed is the adoption of RC4 encryption of the payload, which is a departure from the previously utilized XOR encryption.” Simon Hendery Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments. RELATED Ransomware TSMC DISCLOSES DATA BREACH FROM LOCKBIT-CLAIMED ATTACK AGAINST THIRD PARTY SC StaffJuly 4, 2023 Major Taiwanese multinational chip manufacturing firm Taiwan Semiconductor Manufacturing Company has confirmed experiencing a data breach as a result of a cyberattack against Kinmax, which is one of its IT hardware suppliers, before the end of June, reports The Record, a news site by cybersecurity firm Recorded Future. Ransomware DECRYPTOR FOR AKIRA RANSOMWARE RELEASED SC StaffJuly 4, 2023 Two versions of the free Akira ransomware decryptor for Windows have been published by Avast, which advised the use of the 64-bit version due to significant system memory requirements needed for password decryption efforts, according to BleepingComputer. Cybercrime NEW THIRDEYE INFOSTEALER, SEROXEN RAT EXAMINED SC StaffJune 30, 2023 Windows systems have been targeted by the novel ThirdEye information-stealing malware, which has system metadata exfiltration capabilities, while the new SeroXen remote access trojan has emerged. RELATED EVENTS * Cybercast REVOLUTIONIZING THE ESSENTIALS: FRICTION-MINIMIZING APPROACHES TO OVERCOMING ADVANCED ACCOUNT TAKEOVER (ATO) On-Demand Event * Cybercast EVENING THE ODDS AGAINST OVERPOWERED CYBER ADVERSARIES: A BUSINESS IMPACT ANALYSIS On-Demand Event * Cybercast 2023 CISO CYBERSECURITY PRIORITIES On-Demand Event ADVERTISEMENT GET DAILY EMAIL UPDATES SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy. Subscribe ADVERTISEMENT X -------------------------------------------------------------------------------- ABOUT US SC MediaCyberRisk AllianceContact UsCareersPrivacy GET INVOLVED SubscribeContribute/SpeakAttend an eventJoin a peer groupPartner With Us EXPLORE Product reviewsResearchWhite papersWebcastsPodcasts Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization. Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions. COOKIES This website uses cookies to improve your experience, provide social media features and deliver advertising offers that are relevant to you. If you continue without changing your settings, you consent to our use of cookies in accordance with our privacy policy. You may disable cookies. Accept cookies