Chinese actor targeting European diplomatic bodies

Signals shift towards Europe

Checkpoint Research says it has seen a Chinese threat actor targeting government entities in Europe, "with a focus on foreign and domestic policy entities."

The campaign, which Checkpoint has named "SmugX" uses a technique called HTML smuggling to deliver the PlugX remote access trojan (RAT) - a common Chinese payload.

HTML smuggling is an attack method where attackers hide malicious payloads inside HTML documents like web pages, which are downloaded when a user visits them.

Checkpoint has spotted a variety of documents used as lures, including:

• A letter originating from the Serbian embassy in Budapest
• A document stating the priorities of the Swedish Presidency of the Council of the European Union
• An invitation to a diplomatic conference issued by Hungary's Ministry of Foreign Affairs
• An article about two Chinese human rights lawyers sentenced to more than a decade in prison

The names of the documents also indicate that the intended victims were diplomats and government entities. For example, "Draft Prague Process Action Plan_SOM_EN," "2262_3_PrepCom_Proposal_next_meeting_26_April" and "Comments FRANCE - EU-CELAC Summit - May 4".

Opening any of the documents sets as process in motion that eventually ends with the PlugX RAT being installed on a victim's machine.

PlugX is a modular tool, accommodating a range of plugins with distinct functionalities.

Attackers can use this modular structure to tweak PlugX for their intended use, such as file theft, screen capture and keystroke logging. It can even be used for command execution.

"To ensure persistence, the PlugX payload copies the legitimate program and the DLL and stores them within a hidden directory it creates," Checkpoint writes.

"The encrypted payload is stored in a separate hidden folder. The malware achieves persistence by adding the legitimate program to the Run registry key."

Unlike past uses of PlugX, Checkpoint saw this campaign using RC4 encryption - a more advanced form than seen before.

Checkpointing at China

As mentioned, Chinese attackers have used PlugX in the past, but the researchers looked for more definitive proof before assigning blame.

The campaign was also found to share similarities with those launched by Chinese groups RedDelta and Mustang Panda (sometimes conflated as the same group).

For example, a "distinctive" certificate on the command and control server drew links with both groups. The file paths used have also been observed in RedDelta / Mustang Panda campaigns.

Finally, the victimology and lure tactics are "highly correlated" to those described in RedDelta and Mustang Panda reports by other vendors.

"The campaign...is part of a larger trend we're seeing of Chinese threat actors shifting their focus to Europe," said Checkpoint.