Campaigns
Chinese Threat Actors Target European Ministries And Embassies With HTML Smuggling In Smugx Campaign

Chinese Threat Actors Target European Ministries And Embassies With HTML Smuggling In Smugx Campaign

SmugXPlugXMustang PandaRed DeltaHTML Smuggling
SmugX-related attacks have been observed since December 2022. The threat actors behind the campaign are using innovative distribution methods to distribute a variant of PlugX, a widely used malware associated with various Chinese threat actors. Researchers are monitoring the campaign and have identified links to a previously reported campaign attributed to RedDelta and Mustang Panda.

Indicators of Compromise

mod.mmgpms.com
segtic.com
waxmm.com
jsj1.linuxupdate.info
kvnit-prod.api.kochova.com
pingless.com
update.hilifimyanmar.com
qpodn31.isdmfu1.xyz
ftp.electrobist.com
mm.portomnail.com
mirros.microsoftcontents.com
qq.xxe.pw
api.microsoftlab.xyz
x.xxe.pw
api.wensente.xyz
d802f446.org
portomnail.com
cxitsolution.com
mail.biateknos.com
polygons-stakes.site
vividworld.net
www.jcswcd.com
static.adobe-cdn.org
update.microupdate.xyz
worm.win32.pysis.sm
exchange.portomnail.com
archivess.imangoim.net
9f78281a.org
down-flash.com
lllllllllll.loseyourip.com
down1.linuxupdate.info
dataanalyticsclub.com
dns.xxe.pw
quic.flashesplayer.com
down2.linuxupdate.info
dl-flash.tk
liveweatherupdate.online
www.zlove.cc
openmd5.com
91ac64d2.net
static.tcplog.com
halldie.fit
microsoftcontents.com
protection.cloud
api.imango.ink
js.down-flash.com
download.hilifimyanmar.com
box.xxe.pw
q.xxe.pw
joyceyong.art
time.ntp-server.asia
officecdn-microsoft-com.akamaixed.net
a.linuxupdate.info
down.xxe.pw
www.linuxupdate.info
sportsgross.com
cdn.imango.ink
exchange.openmd5.com
cerradoforte.com
linux.updatelive-oline.com
9f78281a.net
center.veryssl.org
jcswcd.com
q2.xxe.pw
adobe-cdn.org
fonts.google-au.ga
www.microsoftcontents.com
peek.openssl-digicert.xyz
fraudlabpros.at
back.rooter.tk
9f78281a.com
ns1.thorcom.net
help.tcplog.com
update.microsoftlab.top
clubfiveforpeace.co
music.nb-fk.com
help.down-flash.com
datetime.datetime.now
quickconnect.io
bahisaltv79.com
www.5xge.com
luyensex.club
48b2137f.com
sempersim.su
mail.jackbarber.com
linux.down-flash.com
perwish.email
abre.com.my
mayibeofservice.com
www.mmimchat.com
bankssy.com
travel.dianatokaji.com
mirros3.linuxupdate.info
diary.lojjh.com
system.save
kunpengs.xyz
docs.azure
tcplog.com
ns1.xxe.pw
codeforge.pro
dach-loc.com
pricelulu.co.uk
quangdecalshop.com
pastor.cntcog.org
mawuqiis.xyz
mail.divinecellcare.lk
91ac64d2.org
xxe.linuxupdate.info
q4.xxe.pw
subscribe.3gbling.com
apps.imangolm.com
www.myanmarnewsonline.org
n2.xxe.pw
xxe.pw
jqueryllc.net
48b2137f.net
d802f446.net
update.ajaxrenew.com
b23q.xyz
d802f446.com
echoesdesing.com
images.myanmarnewsonline.org
whneat.com
mini.ptipexcel.com
mail.xxe.pw
5avis.com
91ac64d2.com
48b2137f.org
blackcreekbarns.com
yoursafepayments.com
dash.tcplog.com
akamaixed.net
microsoftfile.com
themomerator.com
secure.azure
txt.mm-film.com
lutanedukasi.co.id
linuxupdate.info
googleanalyticstag.com
cdn.google-au.ga
coating.drrooter.com
nb-fk.com
xinhewood-cn.com
proxy.xxe.pw
chrome.down-flash.com
ns2.xxe.pw
gareloi-digit.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATIONS
We recommend the following remediation steps to the affected organization to reduce the risk of HTML smuggling.
Ensure Safe Links and Safe Attachments are implemented to provide real-time protection against HTML smuggling and other email threats. Specifically check for the following to detect malware-smuggling HTML attachments:
– An attached ZIP file contains JavaScript
– An attachment is password-protected
– An HTML file contains a suspicious script code
– An HTML file decodes a Base64 code or obfuscates a JavaScript

 Ensure attack surface reduction rules block or audit activity associated with HTML smuggling.
          The following rules can help:
– Block JavaScript or VBScript from launching downloaded executable content
– Block execution of potentially obfuscated scripts
– Block executable files from running unless they meet a prevalence, age, or trusted list criterion

   Prevent JavaScript codes from executing automatically by changing file associations for .js and .jse files. This would certainly prevent the HTML smuggling, however, Javascript is indispensable for BC and therefore not a practical solution.

  Check Office 365 email filtering settings to ensure they block spoofed emails, spam, and emails with malware. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure
  Office 365 to recheck links on click and neutralize malicious messages that have already  been delivered in response to newly acquired threat intelligence.

  Check the perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command and control (C2) activity.

   Turn on network protection to block connections to malicious domains and IP addresses.

   Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

 Educate users about preventing malware infections. Encourage users to practice good credential hygiene—limit the use of accounts with local or domain admin privileges and turn on Microsoft Defender Firewall to prevent malware infection and stifle propagation.

Reports & References1

Observed Countries7

CZ (914)
FR (660)
GB (450)
HU (144)
SE (101)
SK (576)
UA (766)