Since December 2022, a Chinese threat actor has been conducting a phishing campaign referred to as SmugX, which specifically targets embassies and foreign affairs ministries in the UK, France, Sweden Czech Republic, Hungary, and Slovakia. Security researchers at Check Point, a cybersecurity company, conducted analysis of the attacks and identified similarities with previous activities carried out by APT groups known as Mustang Panda and RedDelta.

The samples include:

• "A letter from the Serbian embassy in Budapest"
• "a document stating the priorities of the Swedish Presidency of the Council of the European Union"
• "an invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs"
• "an article about two Chinese human rights lawyers"

“Check Point observed that SmugX attacks rely on two infection chains, both employing the HTML smuggling technique to hide malicious payloads in encoded strings of HTML documents attached to the lure message. One variant of the campaign delivers a ZIP archive with a malicious LNK file that runs PowerShell when launched, to extract an archive and save it into the Windows temporary directory. The extracted archive contains three files, one being a legitimate executable (either "robotaskbaricon.exe" or "passwordgenerator.exe") from an older version of the RoboForm password manager that allowed loading DLL files unrelated to the application, a technique called DLL sideloading. The other two files are a malicious DLL (Roboform.dll) that is sideloaded using one of the two legitimate executables, and "data.dat" - which contains the PlugX remote access trojan (RAT) that is executed through PowerShell. The second variant of the attack chain uses HTML smuggling to download a JavaScript file that executes an MSI file after downloading it from the attacker's command and control (C2) server. The MSI then creates a new folder within the "%appdata%\Local" directory and stores three files: a hijacked legitimate executable, the loader DLL, and the encrypted PlugX payload (‘data.dat’) Again, the legitimate program is executed, and PlugX malware is loaded into memory via DLL sideloading in an effort to avoid detection” (Bleeping Computer, 2023).

Security Officer Comments:
In order to ensure persistence, the malware employed in the campaign establishes a concealed directory where it conceals both legitimate executable and malicious DLL files, which also adding the program to the ‘Run’ registry key. Once installed and operational on the victim’s computer, PlugX, may employ a misleading PDF file to divert the victim’s attention and decrease suspicion. PlugX possesses a broad range of functionalities, including file exfiltration, capturing screenshots, keylogging and executing commands. The version that Check Point saw deployed in the SmugX campaign is largely the same as those see in recent attacks attributed to a Chinese adversary.

Suggested Correction(s):
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.

Link(s):
https://www.bleepingcomputer.com/
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/