Chinese APT Masterminding SmugX Campaign

Researchers have spotted a Chinese APT campaign targeting European government entities focused on foreign and domestic policies that uses HTML smuggling, a technique in which attackers hide malicious payloads inside HTML documents and the campaign is dubbed as SmugX

Active since December 2022, the campaign is likely a direct continuation of a previously reported campaign attributed to RedDelta and the Mustang Panda group. The campaign appears to be focused on Eastern European countries, including the Czech Republic, Slovakia, and Hungary.

Combined with other Chinese based group’s activity previously reported, this represents a larger trend within the Chinese ecosystem, pointing to a shift in target towards European entities, with a focus on their foreign policy.

The campaign uses new delivery methods to deploy a new variant of PlugX, an implant commonly associated with various Chinese threat actors. Also known as Korplug or Sogu, PlugX is a remote access Trojan that provides unauthorized access to a compromised system, allowing an attacker to control and monitor an infected machine remotely.

While the payload used in the campaign is like the ones found in older PlugX variants, the new delivery method has rendered lower detection rates and successful evasions. The way HTML Smuggling is utilized in the SmugX email campaign results in the download of either a JavaScript or a ZIP file. This leads to a long infection chain which results in PlugX infection of the victim.

In the first scenario, the HTML smuggles a ZIP archive that contains a malicious LNK file that runs PowerShell. The PowerShell extracts a compressed archive embedded within the lnk file and saves it to the%temp% directory. The PowerShell then continues to run the hijacked software, triggering the execution of the PlugX payload stored in data.dat.

The second scenario utilizes HTML Smuggling to download a JavaScript file. When this file is executed, it downloads and executes an MSI file from the attackers’ server. The MSI creates a new folder within the %appdata%\Local directory, in which the three files extracted from the MSI package are stored. The dropped files consist of a hijacked legitimate executable, the loader DLL, and the encrypted payload, as described above.

Some of the PlugX payloads we found write a deceptive lure in the form of a PDF file to the %temp% directory and then open it. The document path is stored within the PlugX configuration under document_name. It is worth mentioning that only a few samples within this campaign included the document_name field; it was missing in most of the samples.

The lure themes identified majorly on Eastern and Central European domestic and foreign policy entities, along with a few Western European references. Most of the documents contained diplomatic-related content, directly related to China or human rights in China. Among the most intended victims were diplomats and public servants in government entities.

Indicators of Compromise

• edb5d4b454b6c7d3abecd6de7099e05575b8f28bb09dfc364e45ce8c16a34fcd
• 736451c2593bc1601c52b45c16ad8fd1aec56f868eb3bba333183723dea805af
• 0e4b81e04ca77762be2afb8bd451abb2ff46d2831028cde1c5d0ec45199f01a1
• 989ede1df02e4d9620f6caf75a88a11791d156f62fdea4258e12d972df76bc05
• 10cad59ea2a566597d933b1e8ba929af0b4c7af85481eacaab708ef4ddf6e0ee
• c96723a68fc939c835578ff746f7d4c5371cb82a9c0dffe360bb656acea4d6e1
• 9ce5abd02d397689d99f62dfbd2a6a396876c6629cb5db453f1dcbbc3465ac9a
• 5f751fb287db51f79bb6df2e330a53b6d80ef3d2af93f09bb786b62e613514db
• baca1159acc715545a787d522950117eae5b7dc65efacfe86383f62e6b9b59d3
• 720a70ca6ee1fbaf06c7cb60d14e27391130407e34e13a092d19f1df2c9c6d05
• 460c459db77c5625ed1c029b2dd6c6eae5e631b81a169494fb0182d550769f76
• 277390cc50e00f52e76a6562e6e699b0345497bd1df26c7c41bd56da5b6d1347
• 3c6ace055527877778d989f469a5a70eb5ef7700375b850f0b1b8414151105ee
• 27a61653ce4e503334413cf80809647ce5dca02ff4aea63fb3a39bc62c9c258c
• ce308b538ff3a0be0dbcee753db7e556a54b4aeddbddd0c03db7126b08911fe2
• fd0711a50c8af1dbc5c7ba42b894b2af8a2b03dd7544d20f5a887c93b9834429
• 3489955d23e66d6f34b3ada70b4d228547dbb3ccb0f6c7282553cbbdeaf168cb
• 04b99518502774deb4a9d9cf6b54d43ff8f333d8ec5b4b230c0e995542bb2c61
• bd3881964e351a7691bfc7e997e8a2c8ce4a8e26b79e3712d0cbdc484a5646b6
• ea2869424df2ffbb113017d95ae48ae8ed9897280fd21b26e046c75b3e43b25a
• b00c252a60171f33e32e64891ffe826b8a45f8816acf778838d788897213a405
• 2bc30ced135acd6a506cfb557734407f21b70fecd2f645c5b938e14199b24f1e
• 0d13a503d86a6450f71408eb82a196718324465744bf6b8c4e0a780fd5be40c0
• 0bdfb922a39103658195d1d37ff584d24f7bd88464e7a119e86d6e3579958cc1
• a0879dd439c7f1ed520aad0c309fe1dbf1a2fc41e2468f4174489a0ec56c47c7
• bddbc529f23ab6b865bc750508403ef57c8cf77284d613d030949bd37078d880
• 4547914e17c127d9b53bbc9d44de0e5b867f1a86d2e5ede828cd3188ed7fe838
• 0032d5430f1b5fcfb6a380b4f1d226b6b919f2677340503f04df04235409b2d0
• 62c2e246855d589eb1ec37a9f3bcc0b6f3ba9946532aff8a39a4dc9d3a93f42c
• f7d35cb95256513c07c262d4b03603e073e58eb4cd5fa9aac1e04ecc6e870d42
• bf4f8a5f75e9e5ecd752baa73abddd37b014728722ac3d74b82bffa625bf09b5
• 8a6ef9aa3f0762b03f983a1e53e8c731247273aafa410ed884ecd4c4e02c7db8
• ec3e491a831b4057fc0e2ebe9f43c32f1f07959b6430b323d35d6d409d2b31e4
• bf8e512921522e49d16c638dc8d01bd0a2803a4ef019afbfc2f0941875019ea1
• ba55542c6fa12865633d6d24f4a81bffd512791a6e0a9b77f6b17a53e2216659
• 8ea34b85dd4fb64f7e6591e4f1c24763fc3421caa7c0f0d8350c67b9bafa4d32
• 8cac6dfb2a894ff3f530c29e79dcd37810b4628279b9570a34f7e22bd4d416b3
• ea5825fa1f39587a88882e87064caae9dd3b79f02438dc3a229c5b775b530c7d
• 1acb061ce63ee8ee172fbdf518bd261ef2c46d818ffd4b1614db6ce3daa5a885
• 08661f40f40371fc8a49380ad3d57521f9d0c2aa322ae4b0a684b27e637aed12
• 324bfb2f414be221e24aaa9fb22cb49e4d4c0904bd7c203afdff158ba63fe35b
• 45.90.58[.]69
• 62.233.57[.]136
• 217.12.207[.]164
• 152.152.12[.]12
• jcswcd[.]com
• newsmailnet[.]com
• C:\Users\<username>\VirtualFile
• C:\Users\Public\VirtualFile
• C:\Users\<username>\SamsungDriver
• C:\Users\Public\SamsungDriver
• C:\Users\Public\SecurityScan