Cyber security firm Check Point said the activity, dubbed SmogX, has been ongoing since at least December 2022, part of a wider trend of Chinese adversaries turning their attention to Europe.
Check Point said, “The campaign uses new delivery methods to deploy a new variant of PlugX (specifically – HTML smuggling), an implant commonly associated with a variety of Chinese threat actors. “
“Although the payload itself remains very similar to that found in the older PlugX variant, its delivery methods result in a lower detection rate, which helped the campaign fly under the radar until recently.”
The exact identity of the threat actor behind the operation is a bit hazy, though existing clues point to Mustang Panda, which also shares overlap with tracked groups such as Earth Prieta, RedDelta, and Check Point’s own designation Camaro Dragon.
However, the company said there is “insufficient evidence” at this stage to conclusively attribute it to adverse collective action.
Analysis of the documents uploaded to the VirusTotal malware database suggests they are designed to target diplomats and government entities in Czechia, Hungary, Slovakia, the U.K., Ukraine, and possibly France and Sweden.
In one instance, the threat actor is said to have employed a Uyghur-themed lure (“China tries to block prominent Uyghur speaker at UN.docx”) that, when opened, displayed an embedded, invisible Tracking signals through to an external server. Pixel to spit out reconnaissance data.
The multi-stage infection process uses DLL side-loading methods to decrypt and launch the final payload, PlugX.
Also called CorePlug, this malware dates back to 2008 and is a modular Trojan capable of accommodating “various plugins with different functionality” that enable operators to perform file theft, screen capture, keystroke logging, and command execution.
“During the course of our samples investigation, the threat actor sent a batch script sent from C&C servers, intended to erase any trace of their activities,” Check Point said.
“This script, named del_robotask update.bat, deletes valid executables, PlugX loader DLLs and registry keys implemented for persistence, and eventually removes itself. It is likely that it is detected by threat actors.” resulted in them being under investigation.”