Chinese Threat Actor Organizes SmugX Attacks
European Governments Targeted
Overt Operator
July 05, 2023
Covert Cyber Crusade: Chinese Group Mustang Panda Orchestrates SmugX Attacks on European Governments
Over the last few months, a sophisticated cyber campaign targeting European policy-makers has drawn attention for its use of a tried-and-true HTML technique, ultimately deploying the PlugX remote access Trojan (RAT). The digital onslaught, dubbed "SmugX," is now believed to be the handiwork of a Chinese threat group known as Mustang Panda, according to Check Point Research (CPR) analysts.
SmugX employs a tactic known as HTML Smuggling, a method of infiltrating malicious payloads within HTML documents. This latest campaign adds to the group's repertoire, with evidence pointing to the work of Mustang Panda (alternatively known as Camaro Dragon or Bronze President) and the Chinese APT RedDelta. However, definitive links remain elusive due to insufficient proof.
The revelation of SmugX signifies a pivotal moment, signifying a strategic shift for Chinese cyber actors, who historically have primarily focused on Russia, Asia, and the U.S in their cyber offensive. Recent campaigns attributed to Mustang Panda, such as one leveraging USB drives to disseminate espionage malware, suggested the expansion of these operations into Europe. SmugX reinforces this trend, proving a broader scope of global ambition.
This elaborate cyber crusade has singled out governmental entities across Europe, specifically targeting Eastern European countries such as Ukraine, Czech Republic, Slovakia, Hungary, as well as major players including Sweden, France, and the UK. The attack methodology encompasses a variety of malicious documents tailored to echo domestic and foreign policies, often masquerading as credible government agencies to entice victims.
SmugX's payload delivery mechanism is ingeniously concealed within HTML documents, adorned with diplomatic content. Certain documents contained content directly related to China, including news articles on the sentencing of Chinese human rights lawyers. Other decoys incorporated various correspondences, from letters from Serbian embassies to invitations from Hungary's Ministry of Foreign Affairs, encapsulating the breadth of their deceptive tactics.
The elusive HTML documents work to decode an embedded JavaScript, housing the PlugX RAT. This process initiates a cascade of events culminating in the deployment of the RAT, endowed with a modular structure to accommodate a host of plugins, each with unique functionalities. The intruders can thus carry out a wide range of nefarious activities, from file theft, screen captures, keystroke logging, to command execution.
SmugX poses a significant challenge to organizations due to its potent combination of tactics and its stealthy nature, allowing the threat actors to operate undetected for extended periods. In light of this, CPR provides a comprehensive list of indicators of compromise (IoCs) to aid organizations in detecting potential breaches.