Saturday, January 25, 2025
HomeCyber AttackHackers Use HTML Smuggling Technique to Attack European Government Entities

Hackers Use HTML Smuggling Technique to Attack European Government Entities

Published on

SIEM as a Service

Follow Us on Google News

Over recent months, CPR (Check Point Research) monitored a Chinese threat actor attacking European Foreign Affairs ministries and embassies.

Check Point Research identified a broader trend of Chinese activity, specifically targeting European entities and their foreign policy.

While security analysts identified that threat actors were found using HTML Smuggling.

Since December 2022, this campaign has been ongoing and is probably a direct extension of a previously disclosed RedDelta campaign.

Several new delivery methods were used in this campaign to deploy a new variant of an implant, “PlugX,” that is linked to various Chinese threat actors.

HTML Smuggling implementation (Source -Checkpoint)

HTML Smuggling Technique

In the SmugX campaign, HTML Smuggling is applied, leading to JavaScript or ZIP file downloads.

The lure themes primarily target the governmental ministries in Eastern Europe since they are mainly focused on European domestic and foreign policies.

Targets and lures (Source -Checkpoint)

Most documents featured diplomatic content, with some directly linked to China in multiple instances. The lures include:-

  • A letter originating from the Serbian embassy in Budapest.
  • A document stating the priorities of the Swedish Presidency of the Council of the European Union.
  • An invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs.
  • An article about two Chinese human rights lawyers sentenced to more than a decade in prison.
Some of the lures used in this campaign (Source -Checkpoint)

A document called “China Tries to Block Prominent Uyghur Speaker at UN.docx,” was discovered by the security analysts during their analysis, and it was uploaded to VirusTotal.

Besides this, to access the following URL, the document uses a remote image technique, and it contains a single-pixel image that it keeps hidden from the user:-

  • https://www[.]jcswcd[.]com/?wd=cqyahznz

It’s known as Pixel tracking, a common reconnaissance tool that logs the following information when the attackers’ server receives a request for the remote image:-

  • IP address
  • User-agent
  • Access time

Infection Chains

In total, there are two infection chains that stem from an HTML file that stores the second stage in the Download folder as per the browser settings of the victim.

One chain deploys a malicious LNK file inside a ZIP file, while to fetch an MSI file from a remote server, the other chain employs JavaScript.

Infection chains (Source -Checkpoint)

PlugX malware, used by Chinese threat actors since 2008, serves as the final payload, and it’s operated as a remote access tool (RAT) with a modular structure for flexible plugin integration.

For persistence, the PlugX payload duplicates and hides both the legitimate program and DLL in a newly created hidden directory.

Though none of the techniques employed in this campaign are unexplored, the blend of a wide range of tactics and infection chains with low detection rates allowed the threat actors to remain undetected for an extended period of time.

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...