Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
A Chinese nation-state group has been observed targeting Foreign Affairs ministries and embassies in Europe using HTML smuggling techniques to deliver the PlugX remote access trojan on compromised systems.

Cybersecurity firm Check Point said the activity, dubbed SmugX, has been ongoing since at least December 2022.

"The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors," Check Point said.

"Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates, which until recently helped the campaign fly under the radar."
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
n the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor targeting Foreign Affairs ministries and embassies in Europe. Combined with other Chinese activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift to targeting European entities, with a focus on their foreign policy.
The activity described in this report, utilizes HTML Smuggling to target governmental entities in Eastern Europe. This specific campaign has been active since at least December 2022, and is likely a direct continuation of a previously reported campaign attributed to RedDelta (and also to Mustang Panda, to some extent).
The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until recently helped the campaign fly under the radar.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
It is worth mentioning that HTML Smuggling can force the file download, but cannot execute the downloaded payload.
In some cases, HTML Smuggling + exploit can download and automatically execute the payload without the user's intervention. But in most cases, the payload must be executed manually by the user.
In the article (and many others) the authors do not explicitly mention that the JavaScript (second stage) payload is not executed in the web browser but via Windows Script Host (JScript engine).
Such attacks (JScript, MSI payloads) can be prevented in Enterprises via Windows built-in features like SRP, AppLocker, and WDAC. Windows Script Host can be also blocked in GPO.

It looks like one of the JavaScript payloads is still undetected on Virus Total:

1688466434399.png


Of course, it does not mean that the AVs cannot prevent/block/detect the attack in another way.

Post edited.
 
Last edited:

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,489
It is worth mentioning that HTML Smuggling can force the file download, but cannot execute the downloaded payload.
In some cases, HTML Smuggling + exploit can download and automatically execute the payload without the user's intervention. But in most cases, the payload must be executed manually by the user.
In the article (and many others) the authors do not explicitly mention that the JavaScript payload is not executed in the web browser but via Windows Script Host (JScript engine).
Such attacks (JScript, MSI payloads) can be prevented in Enterprises via Windows built-in features like SRP, AppLocker, and WDAC. Windows Script Host can be also blocked in GPO.
It's very worth mentioning Andy, I often post articles like this one and I can never be sure that it's accurate/valid, it would take a member with your knowledge to verify. I wonder if there is a member here that has the time and expertise to do this? I know you are very busy but maybe another member.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
It's very worth mentioning Andy, I often post articles like this one and I can never be sure that it's accurate/valid, ...

The articles from "CPR - Check Point Research " are written by experts, so the authors often skip some details.
The problem with understanding HTML Smuggling is that it can use JavaScript code embedded in the HTML - all of this is automatically executed in the context of the web browser and ends with downloading the payload without user interaction (HTML5 is required). The payload can be anything (EXE, MSI, script, disk image, archive, etc.), including another JavaScript code (JS payload). In the case of JS payload, it is usually executed outside the web browser via Windows Script Host (JScript engine) - that part of the attack usually requires user interaction (except for some exploits). It is easy to misunderstand the role of JavaScript code in such attacks.
The advantage of HTML Smuggling is that the payload is built locally behind the firewall, so Network Protection can be often evaded.

Some details can be found in many sources, for example:
 
Last edited:

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,734
For Check Point, the malicious website will be blocked when the gz cache file is parsed and also, emulated. Even if it’s new and unknown one. With Harmony Endpoint protection starts from the browser. Afterwards, second stage downloader will be emulated too and blocked, even if protection is disabled.

In addition, blocking wscript.exe (highly recommended) via Application Control can suspend this attack and many others.
 

Xeno1234

Level 14
Jun 12, 2023
699
For Check Point, the malicious website will be blocked when the gz cache file is parsed and also, emulated. Even if it’s new and unknown one. With Harmony Endpoint protection starts from the browser. Afterwards, second stage downloader will be emulated too and blocked, even if protection is disabled.

In addition, blocking wscript.exe (highly recommended) via Application Control can suspend this attack and many others.
Checkpoint also probably blocks it behaviorally - as its behaviorally engine is great too.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
Several months ago, I posted a scenario of infection even when the user is very cautious and uses additional checking of downloaded files.
  1. The user visits an infected website that allows downloading benign executables.
  2. The infected website uses HTML Smuggling to drop also a malicious DLL.
  3. The user is not aware that something else was dropped to the Downloads folder, so he/she checks only the benign file (Virus Total, Online Sandbox, Secondary AV scanner, SmartScreen, etc.). These checks will confirm that the file is really OK.
  4. The benign file is executed by the user, but in fact, it is vulnerable to DLL hijacking. The malicious DLL (dropped by HTML Smuggling) is automatically executed and the computer can be infected.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,734
It is a very possible scenario but definitely not a sustainable one that can allow criminals to run a business. There are too many files in this attack and the behaviour of dll side loading normally is well covered. The list of vulnerable apps is also not that huge…
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
The list of vulnerable apps is also not that huge…
I am afraid that it is huge. :confused:
Popular installation packages like Inno Setup and NSIS had this issue for several years. So there are hundreds (thousands?) of vulnerable application installers (usually older ones). There are also many vulnerable Windows built-in executables (older versions), Windows tools, etc. But, currently, the DLL hijacking attacks do not use the method described in my post. It is simpler to use a disk image file or an archive, that contains EXE + hidden DLL. This is enough to fool most users.
 

piquiteco

Level 14
Oct 16, 2022
626
The user is not aware that something else was dropped to the Downloads folder, so he/she checks only the benign file (Virus Total, Online Sandbox, Secondary AV scanner, SmartScreen, etc.). These checks will confirm that the file is really OK.
And in a scenario where the user is running the browser inside a sandbox, wouldn't there be some benefit in protection in this particular case?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
And in a scenario where the user is running the browser inside a sandbox, wouldn't there be some benefit in protection in this particular case?
If the Downloads folder is fully contained, then running the downloaded benign file will infect only the Sandbox. But, the malware in the Sandbox can still spy on the user, depending on the sandbox restrictions. The Downloads folder in the sandbox is usually almost empty, so it is easier to see if something was silently dropped and this can help to identify the problem. Another pro of using the sandbox is that the user will usually copy&run only the benign executables in the real system.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top