HQ/EMEAFind out how we can help your business
A suspected Chinese state-sponsored threat group has been targeting embassies and Foreign Affairs ministries in Europe using HTML smuggling tactics to establish the PlugX remote access trojan (RAT) on infected systems.
According to reports, cybercriminal activity uses new delivery tactics to drop a new PlugX variant. This variant is an implant usually linked to various China-based threat groups. The malware’s delivery method results in a low detection rate, although the payload remains like the one observed by researchers in older PlugX versions. Hence, the threat actors could still avoid security solutions in their recent campaigns.
The Mustang Panda group could be the operators of the recent PlugX RAT attacks.
Researchers explained that the exact identity of the PlugX operators is still confusing—however, existing hints point towards the notorious Mustang Panda group. This group shares similarities with cybercriminal clusters, such as RedDelta, Earth Preta, and Camaro Dragon.
However, a separate researcher said there is no substantial evidence to conclude that the campaign is from one of the earlier-mentioned threat groups.
The only confirmed aspect of the attack is the effective use of the HTML Smuggling strategy, which is a technique that exploits legitimate HTML5 and JavaScript features to assemble and launch a malware payload. The malware utilised in this attack is commonly attached to spear-phishing emails.
An analysis of the documents uploaded to the VirusTotal malware database reveals that the actors designed the campaign to target diplomats and government entities in Czechia, Hungary, Slovakia, the U.K., Ukraine, France, and Sweden.
In one scenario, the attackers have adopted the Uyghur-themed lure that, once opened by a target, beacons to an external server through an embedded, invisible tracking pixel to exfiltrate reconnaissance information.
Furthermore, this multi-stage infection process uses DLL side-loading methods to decrypt and deploy the PlugX RAT.
PlugX, also known as KorPlug, is a malware that emerged in 2008 as a modular trojan that could accommodate various plugins with distinct functionalities. Experts said this modular trojan could allow its operators to execute file theft, capture screenshots, record keystrokes, and execute commands.
Organisations, especially in the countries mentioned above, should adopt layered defences to mitigate the impact of this newly discovered campaign.
