In the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor targeting foreign and domestic policy entities as well as embassies in Europe.
The researchers unpack their findings:
Combined with other Chinese based groups’ activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift in target towards European entities, with a focus on their foreign policy.
In this campaign, apart from the UK, most of the targeted countries are Eastern Europe countries like Czech Republic, Slovakia and Hungary, and as per our assessment, the goal of the campaign is to get ahold of sensitive information on the foreign policies of those countries.
The activity described in this report utilises HTML Smuggling to target foreign policy entities in Europe, focusing on Eastern Europe. HTML Smuggling is a technique in which attackers hide malicious payloads inside HTML documents.
This specific campaign has been active since at least December 2022, and is likely a direct continuation of a previously reported campaign attributed to RedDelta (and to the Mustang Panda group to some extent).
The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates and ‘successful’ evasions, which until recently helped the campaign fly under the radar.
The way HTML Smuggling is utilised in the SmugX email campaign results in the download of either a JavaScript or a ZIP file. This leads to a long infection chain which results in PlugX infection of the victim.
Lures and targets
The lure themes identified by our team are heavily focused on European domestic and foreign policies-governmental entities, and were used to target mostly governmental entities in Eastern and Central Europe. However, other western European countries were also referenced in the lures.
The majority of the documents contained diplomatic-related content. In more than one case, the content was directly related to China and human rights in China.
In addition, the names of the archived files themselves strongly suggest that the intended victims were diplomats and public servants in these government entities. Here are a few examples of the names we identified:
* Draft Prague Process Action Plan_SOM_EN
* 2262_3_PrepCom_Proposal_next_meeting_26_April
* Comments FRANCE – EU-CELAC Summit – May 4
* 202305 Indicative Planning RELEX
* China jails two human rights lawyers for subversion
Conclusion
In this research, we analysed a recent campaign which is highlighting the Chinese APT’s shift to persistent targeting of European government entities. We identified multiple infection chains that employ the HTML Smuggling technique which leads to the deployment of the PlugX payload.
The campaign, dubbed ‘SmugX’, signifies a part of a larger trend we are seeing of Chinese threat actors shifting their focus to European entities, governmental ones in particular.