China's Mustang Panda Linked to SmugX Attacks on European Governments

A Chinese threat group has adopted a sneak HTML technique long-used by its counterparts to target European policy-makers, in a campaign aimed at spreading the PlugX remote access Trojan (RAT).

Over the course of the last two months, Check Point Research (CPR) analysts have been tracking the activity, which they've dubbed SmugX because it uses an attack vector called HTML Smuggling — a technique for planting malicious payloads inside HTML documents, the researchers revealed in a report published earlier this week.

The campaign has been ongoing since at least December and appears to have a direct link to a previously reported campaign attributed to Chinese APT RedDelta, as well as the work of Chinese APT Mustang Panda (aka Camaro Dragon or Bronze President), although there is "insufficient evidence" to definitively link SmugX to either group, according to the research.

Moreover, while Check Point separates Mustang Panda and Camaro Dragon into two separate entities, other researchers refer to the two as one and the same; RedDelta, meanwhile, appears to have links to both groups, according to Check Point researchers.

SmugX represents a shift in targeting for Chinese threat actors, which in the past have primarily focused on Russia, Asia, and the US in their threat campaigns, they added. However, a recent campaign linked to Mustang Panda to use USB drives to spread self-propagating espionage malware already indicated that these groups already engaged in threat activity in Europe as part of their global intent.

SmugX targets mainly governmental ministries in Eastern European countries — including Ukraine, the Czech Republic, Slovakia, and Hungary — as well as in Sweden, France, and the UK. Document lures used to dupe victims focus on European domestic and foreign policies, typically impersonating key agencies in the respective country to appear authentic.

SmugX Cyberattack Details

SmugX uses as its malware-delivery mechanism HTML documents that contain diplomatic-related content. In more than one case, this content is directly related to China — including an article about two Chinese human rights lawyers sentenced to more than a decade in prison.

Other documents used in the campaign are a letter originating from the Serbian embassy in Budapest; a document stating the priorities of the Swedish Presidency of the Council of the European Union; an invitation to a diplomatic conference issued by Hungary's Ministry of Foreign Affairs.

The malware is embedded within these HTML documents, which allows them to evade network-based detection measures, according to the research.

Opening one of the malicious HTML documents results in the decoding of a JavaScript that includes the embedded payload — which in this case is PlugX, a RAT that has been used by Chinese threat actors since 2008. This sets off a chain of events that eventually leads to the deployment of the RAT, which employs a modular structure that accommodates several diverse plugins with distinct functionalities.

"This enables the attackers to carry out a range of malicious activities on compromised systems, including file theft, screen captures, keystroke logging, and command execution," according to the report.

The PlugX payload ensures its persistence in a process that first copies the legitimate program and the DLL and then stores them within a hidden directory it creates, with the encrypted payload stored in a separate hidden folder. The malware then adds the legitimate program to the Run registry key.

Defensive Maneuvers Against PlugX, RATs

Though neither the techniques nor the malware used in the campaign are new, SmugX does present a challenge for targeted organizations because of how it combines different tactics and its likelihood of not easily being detected. This allows "threat actors to stay under the radar for quite a while," according to Check Point.

To help organizations identify if they've been compromised, the report includes an extensive list of indicators of compromise (IoCs) that span HTML addresses, archives, JavaScript snippets, encrypted payload files, IPs and domains, and more.

Employees should always be wary of clicking on unknown links or files when using a corporate network, and check with IT departments before downloading anything new from the Internet. Moreover, a comprehensive combination of threat emulation and endpoint detection strategies also can defend against attacks such as SmugX, according to Check Point.