PlugX Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/plugx/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 06 Jul 2023 15:20:45 +0000 en-US hourly 1 https://wordpress.org/?v=86711 200474804 PlugX malware attacks European diplomats https://gridinsoft.com/blogs/plugx-malware-europe/ https://gridinsoft.com/blogs/plugx-malware-europe/#respond Thu, 06 Jul 2023 15:20:18 +0000 https://gridinsoft.com/blogs/?p=15732 Over the past few months, researchers have been monitoring the activity of a Chinese threat actor using PlugX malware to target foreign and domestic policy entities and embassies in Europe. This is a more significant trend among Chinese-based groups increasingly focusing on European entities, particularly their foreign policy. The countries most targeted in this campaign… Continue reading PlugX malware attacks European diplomats

The post PlugX malware attacks European diplomats appeared first on Gridinsoft Blog.

]]>
Over the past few months, researchers have been monitoring the activity of a Chinese threat actor using PlugX malware to target foreign and domestic policy entities and embassies in Europe. This is a more significant trend among Chinese-based groups increasingly focusing on European entities, particularly their foreign policy. The countries most targeted in this campaign are Central and Eastern European countries such as Slovakia, the Czech Republic, and Hungary. Key target of these attacks is likely obtaining sensitive information about their foreign policies. The UK is the only country that is away from Europe’s center or east, targeted so far.

HTML smuggling as a method to bypass network detection.

The PlugX activity targets foreign policy entities in Europe, mainly Eastern Europe, by using HTML Smuggling. HTML Smuggling is a method used by hackers to conceal harmful payloads within HTML documents. The SmugX email campaign uses HTML Smuggling to download a JavaScript or a ZIP file. This creates a long infection chain that ultimately results in the victim being infected with PlugX.

HTML smuggling
Scheme of the HTML smuggling

Adversaries have used HTML smuggling for a while. Still, it has become more common since Microsoft blocked other popular methods of sneaking malware onto systems, like default-blocking macros in Word documents.

HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript coderesearchers

Lure for European politicians

The Attackers primarily focused on European domestic and foreign policy and were mainly used by Eastern and Central European governmental organizations.

The SmugX submissions origins
The SmugX submissions origins

Most of the documents found had content related to diplomacy, with some specifically concerning China and human rights. Furthermore, the names of the files imply that the targets were likely government officials and diplomats.

Lures PlugX
Screen of documents contained diplomatic-related content

Attack on the European government

The attackers implemented HTML smuggling to enable downloading a JavaScript or ZIP file onto a compromised system. In the case of a ZIP archive, it includes a harmful LNK file that triggers PowerShell. On the other hand, if a JavaScript file is utilized, it will download and activate an MSI file from the attackers’ server.

After infecting a system, the DLL decrypts the PlugX malware. This malware can conduct several harmful activities, such as capturing screenshots, logging keystrokes, executing commands, and extracting files. A legitimate executable is hijacked and downloaded during the infection process to ensure that the malware remains on the system. The malware then duplicates the fair program and DLL, storing them in a hidden directory. The malware adds the legitimate program to the Run registry key to maintain persistence.

Is it possible to evade PlugX infection?

Potential targets of such attacks must prioritize defense. In a significant cyber attack, resetting the organization’s cyber security approach and posture is recommended. Every organization must reflect on its actions and decisions following a considerable spell. Though, it should be a lesson not only for governmental services but also for companies.

  • Regularly update the systems. It is essential to regularly update your operating systems, software, and applications with the latest security patches and updates to fix known vulnerabilities.
  • To enhance your security measures, it is necessary to revamp the cybersecurity training provided to government officials.
  • A unique role for such organizations is the Zero Trust principles, so you can completely change the state of affairs in security.
  • Implementing strict access controls such as strong passwords, multi-factor authentication (MFA), and role-based access control is essential to prevent unauthorized access to sensitive data and systems.

To minimize the risk of attacks, companies should implement various security measures. These include adopting robust security strategies, such as the Zero Trust model, regularly updating and patching systems, providing thorough security awareness training, implementing strict access controls, segmenting networks, using advanced threat detection tools, regularly backing up data, conducting security assessments, and utilizing third-party security services. By taking these steps, companies can significantly reduce their vulnerability to attacks.

The post PlugX malware attacks European diplomats appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/plugx-malware-europe/feed/ 0 15732
Stabbed in the back: Chinese Mustang Panda Cyberspies Attack Russian Officials https://gridinsoft.com/blogs/mustang-panda-cyberspies-attack-russian-officials/ https://gridinsoft.com/blogs/mustang-panda-cyberspies-attack-russian-officials/#respond Fri, 29 Apr 2022 11:18:52 +0000 https://gridinsoft.com/blogs/?p=7640 Secureworks researchers have discovered a phishing campaign by Chinese Mustang Panda cyberspies targeting Russian officials and the military. According to experts, Chinese “government” hackers from the Mustang Panda group (aka HoneyMyte, Bronze President, RedDelta and TA416) are behind the attacks. Let me remind you that we wrote that Hacker groups split up: some of them… Continue reading Stabbed in the back: Chinese Mustang Panda Cyberspies Attack Russian Officials

The post Stabbed in the back: Chinese Mustang Panda Cyberspies Attack Russian Officials appeared first on Gridinsoft Blog.

]]>
Secureworks researchers have discovered a phishing campaign by Chinese Mustang Panda cyberspies targeting Russian officials and the military.

According to experts, Chinese “government” hackers from the Mustang Panda group (aka HoneyMyte, Bronze President, RedDelta and TA416) are behind the attacks.

Let me remind you that we wrote that Hacker groups split up: some of them support Russia, others Ukraine, and also that, for example, RuRansom Malware Destroys Data in Russian Systems, so perhaps the Chinese hackers simply chose a side.

This hacker group has been active since at least July 2018, and most often its attacks target various regions of Southeast Asia, although sometimes hackers are also interested in targets from Europe and the United States.

Secureworks reports that this time the Mustang Panda is exhibiting unusual behavior as the attackers now appear to have focused on Russian military personnel and officials working near the border with China. In their phishing baits, hackers exploit the theme of Russia’s invasion of Ukraine: malicious documents are written in English and disguised as data published by the EU on sanctions against Belarus.

mustang panda cyberspies

Such lures are .exe executable files, but disguised as PDF documents and are named in Russian – “Blagoveshchensk – Blagoveshchensk border detachment.” The question arises why the document named in Russian contains the text in English, but the logic of the hackers in this matter has remained a mystery to researchers. Secureworks specialists came to only one clear conclusion: the target of this campaign is Russian officials or the military in the border region.

mustang panda cyberspies

The war in Ukraine has prompted many countries to use their cyber capabilities to gain insight into global events, political manipulation and the motives of the parties. This desire for situational awareness often extends to gathering intelligence from allies and ‘friends’.the researchers write.

Running the executable extracts many additional files, including the decoy document itself, which can be seen in the screenshot above, a malicious DLL loader, an encrypted version of the PlugX (aka Korplug) malware, and another .exe file.

PlugX is the main tool of hackers; it is a remote access Trojan for Windows that allows to execute various commands on infected systems, steal files, install backdoors and additional malicious payloads. Several Chinese hack groups have been relying on this malware for many years.

It should be noted that the results of the Secureworks study complement the reports of Proofpoint and ESET, released last month. They detailed the use of a new PlugX variant codenamed Hodur, so named because of its resemblance to another variant called THOR.

Attacks on Russian-speaking users and European organizations suggest that the attackers have received updated tasks that reflect the constantly changing requirements of the PRC for the collection of intelligence.Secureworks experts summarize.

The post Stabbed in the back: Chinese Mustang Panda Cyberspies Attack Russian Officials appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/mustang-panda-cyberspies-attack-russian-officials/feed/ 0 7640