Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX

[MuzzMelbourne]

Content source

https://thehackernews.com/2023/07/chinese-hackers-use-html-smuggling-to.html

A Chinese nation-state group has been observed targeting Foreign Affairs ministries and embassies in Europe using HTML smuggling techniques to deliver the PlugX remote access trojan on compromised systems.

Cybersecurity firm Check Point said the activity, dubbed SmugX, has been ongoing since at least December 2022.

"The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors," Check Point said.

"Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates, which until recently helped the campaign fly under the radar."

Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX

Chinese cyber group targets European ministries with sophisticated HTML smuggling techniques to deploy the PlugX trojan.

thehackernews.com

 

[[correlate]]

n the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor targeting Foreign Affairs ministries and embassies in Europe. Combined with other Chinese activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift to targeting European entities, with a focus on their foreign policy.
The activity described in this report, utilizes HTML Smuggling to target governmental entities in Eastern Europe. This specific campaign has been active since at least December 2022, and is likely a direct continuation of a previously reported campaign attributed to RedDelta (and also to Mustang Panda, to some extent).
The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until recently helped the campaign fly under the radar.

Chinese Threat Actors Targeting Europe in SmugX Campaign - Check Point Research

Introduction In the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor targeting Foreign Affairs ministries and embassies in Europe. Combined with other Chinese activity previously reported by Check Point Research, this represents a larger...

research.checkpoint.com

 

[Andy Ful]

It is worth mentioning that HTML Smuggling can force the file download, but cannot execute the downloaded payload.
In some cases, HTML Smuggling + exploit can download and automatically execute the payload without the user's intervention. But in most cases, the payload must be executed manually by the user.
In the article (and many others) the authors do not explicitly mention that the JavaScript (second stage) payload is not executed in the web browser but via Windows Script Host (JScript engine).
Such attacks (JScript, MSI payloads) can be prevented in Enterprises via Windows built-in features like SRP, AppLocker, and WDAC. Windows Script Host can be also blocked in GPO.

It looks like one of the JavaScript payloads is still undetected on Virus Total:

Of course, it does not mean that the AVs cannot prevent/block/detect the attack in another way.

Post edited.

 

[vtqhtr413]

It is worth mentioning that HTML Smuggling can force the file download, but cannot execute the downloaded payload.
In some cases, HTML Smuggling + exploit can download and automatically execute the payload without the user's intervention. But in most cases, the payload must be executed manually by the user.
In the article (and many others) the authors do not explicitly mention that the JavaScript payload is not executed in the web browser but via Windows Script Host (JScript engine).
Such attacks (JScript, MSI payloads) can be prevented in Enterprises via Windows built-in features like SRP, AppLocker, and WDAC. Windows Script Host can be also blocked in GPO.

It's very worth mentioning Andy, I often post articles like this one and I can never be sure that it's accurate/valid, it would take a member with your knowledge to verify. I wonder if there is a member here that has the time and expertise to do this? I know you are very busy but maybe another member.

 

[Andy Ful]

It's very worth mentioning Andy, I often post articles like this one and I can never be sure that it's accurate/valid, ...

The articles from "CPR - Check Point Research " are written by experts, so the authors often skip some details.
The problem with understanding HTML Smuggling is that it can use JavaScript code embedded in the HTML - all of this is automatically executed in the context of the web browser and ends with downloading the payload without user interaction (HTML5 is required). The payload can be anything (EXE, MSI, script, disk image, archive, etc.), including another JavaScript code (JS payload). In the case of JS payload, it is usually executed outside the web browser via Windows Script Host (JScript engine) - that part of the attack usually requires user interaction (except for some exploits). It is easy to misunderstand the role of JavaScript code in such attacks.
The advantage of HTML Smuggling is that the payload is built locally behind the firewall, so Network Protection can be often evaded.

Some details can be found in many sources, for example:

HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks | Microsoft Security Blog

HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks.

www.microsoft.com

 

[Trident]

For Check Point, the malicious website will be blocked when the gz cache file is parsed and also, emulated. Even if it’s new and unknown one. With Harmony Endpoint protection starts from the browser. Afterwards, second stage downloader will be emulated too and blocked, even if protection is disabled.

In addition, blocking wscript.exe (highly recommended) via Application Control can suspend this attack and many others.

 

[Xeno1234]

For Check Point, the malicious website will be blocked when the gz cache file is parsed and also, emulated. Even if it’s new and unknown one. With Harmony Endpoint protection starts from the browser. Afterwards, second stage downloader will be emulated too and blocked, even if protection is disabled.

In addition, blocking wscript.exe (highly recommended) via Application Control can suspend this attack and many others.

Checkpoint also probably blocks it behaviorally - as its behaviorally engine is great too.

 

[Andy Ful]

Several months ago, I posted a scenario of infection even when the user is very cautious and uses additional checking of downloaded files.

1. The user visits an infected website that allows downloading benign executables.
2. The infected website uses HTML Smuggling to drop also a malicious DLL.
3. The user is not aware that something else was dropped to the Downloads folder, so he/she checks only the benign file (Virus Total, Online Sandbox, Secondary AV scanner, SmartScreen, etc.). These checks will confirm that the file is really OK.
4. The benign file is executed by the user, but in fact, it is vulnerable to DLL hijacking. The malicious DLL (dropped by HTML Smuggling) is automatically executed and the computer can be infected.

 

[Trident]

It is a very possible scenario but definitely not a sustainable one that can allow criminals to run a business. There are too many files in this attack and the behaviour of dll side loading normally is well covered. The list of vulnerable apps is also not that huge…

 

[Andy Ful]

The list of vulnerable apps is also not that huge…

I am afraid that it is huge.
Popular installation packages like Inno Setup and NSIS had this issue for several years. So there are hundreds (thousands?) of vulnerable application installers (usually older ones). There are also many vulnerable Windows built-in executables (older versions), Windows tools, etc. But, currently, the DLL hijacking attacks do not use the method described in my post. It is simpler to use a disk image file or an archive, that contains EXE + hidden DLL. This is enough to fool most users.

 

[piquiteco]

The user is not aware that something else was dropped to the Downloads folder, so he/she checks only the benign file (Virus Total, Online Sandbox, Secondary AV scanner, SmartScreen, etc.). These checks will confirm that the file is really OK.

And in a scenario where the user is running the browser inside a sandbox, wouldn't there be some benefit in protection in this particular case?

 

[Andy Ful]

And in a scenario where the user is running the browser inside a sandbox, wouldn't there be some benefit in protection in this particular case?

If the Downloads folder is fully contained, then running the downloaded benign file will infect only the Sandbox. But, the malware in the Sandbox can still spy on the user, depending on the sandbox restrictions. The Downloads folder in the sandbox is usually almost empty, so it is easier to see if something was silently dropped and this can help to identify the problem. Another pro of using the sandbox is that the user will usually copy&run only the benign executables in the real system.