SOC Incident Toolkit
Back to Campaigns
Chinese Threat Actors Target European Ministries And Embassies With HTML Smuggling In Smugx Campaign

Chinese Threat Actors Target European Ministries And Embassies With HTML Smuggling In Smugx Campaign

SmugXPlugXMustang PandaRed DeltaHTML Smuggling

SmugX-related attacks have been observed since December 2022. The threat actors behind the campaign are using innovative distribution methods to distribute a variant of PlugX, a widely used malware associated with various Chinese threat actors. Researchers are monitoring the campaign and have identified links to a previously reported campaign attributed to RedDelta and Mustang Panda.

Indicators of Compromise

Domains (147)

mod.mmgpms.comsegtic.comwaxmm.comjsj1.linuxupdate.infokvnit-prod.api.kochova.compingless.comupdate.hilifimyanmar.comqpodn31.isdmfu1.xyzftp.electrobist.commm.portomnail.commirros.microsoftcontents.comqq.xxe.pwapi.microsoftlab.xyzx.xxe.pwapi.wensente.xyzd802f446.orgportomnail.comcxitsolution.commail.biateknos.compolygons-stakes.site+127 more

Hashes (1735)

210934a2cc59e1f5af39aa5a18aae1d8c5da95d1a8f34c9cfc3ab42ecd37ac92a1f9b76ddfdafc47d4a63a04313c577c0c2ffc6202083422b52a00803fd8193d6d5be3e6939a7c86280044eebe71c566b48981a3341193aa3aff634a3a5d1bbd1ab4f52ff4e4f3aa992a77d0d36d52e796999d6fc1a109b9ae092a5d7492b7dd26d129aaa4f0f830a7a20fe6317ee4a254b9caac52730b6fed6c482be4a5c79d706c9030c2fa5eb758fa2113df3a7e79257808b3e79e46869d1bf279ed488c367471706bccc2650c81f2ee3e533f8832c31b409b1fe9b6387b03f7aedeafd3721b4ec6d6011da671df49e241394da154c840e3cae2d280ff0b36eec2bf86ad35051906e484904136f0e478aa423d7744a0879dd439c7f1ed520aad0c309fe1dbf1a2fc41e2468f4174489a0ec56c47c7fe7a6954e18feddeeb6fcdaaa8ac9248c8185703c2505d7f249b03d8d8897104db322188ec75eee892443d2e9fb6275a06400c2a819e68c34413fdc4c25f5ee41a7338316dc4c7a6b196564732918e020ff99c1ab45355c8b84b57ae015ad0aebfa8707be3f33e12731f7f8c282c8ee51f962292070eb0289afef7856f50fa63e7ebde878f64c25ba85f8b77cfba3701bebde119f610afef6d9a5965a3ed51a4a4b9dead9c366e8abc7a8d378e5d9c6685ed9906caeaf72f3fa85ef1bf8ccc016a83ae301126658168a0698e95039a14b969a44dc5c44bb432d7afe9+1715 more

IPv4 (212)

209.95.60.92160.20.147.2545.101.4.1968.208.94.94103.117.141.202103.226.155.9645.79.122.225111.90.148.95202.79.173.22823.106.122.81104.255.174.5845.32.248.92203.175.9.97103.93.76.13545.61.187.745.137.10.345.90.58.69106.52.144.2966.42.60.66193.239.154.44+192 more

CVEs (24)

CVE-2021-34527CVE-2023-0286CVE-2019-6225CVE-2021-26855CVE-2023-0216CVE-2021-4034CVE-2021-44228CVE-2023-0217CVE-2022-27925CVE-2021-27065CVE-2023-0401CVE-2020-3992CVE-2022-37042CVE-2021-26858CVE-2022-30190CVE-2022-4450CVE-2022-4203CVE-2021-40539CVE-2022-2294CVE-2017-11882+4 more

Notes

<div><font><b>NOTES:</b></font></div><div><font>The SmugX campaign targets European ministries and embassies. These organizations possess sensitive information and hold strategic importance.</font></div><div><font><br></font></div><div><font>The primary objective of the campaign is to bypass traditional security measures using HTML smuggling techniques, allowing attackers to gain access to the target systems.</font></div><div><font><br></font></div><div><font>PlugX RAT is the main tool used in the SmugX campaign. PlugX is a modular RAT that provides remote access capabilities and has been utilized by various Chinese threat groups.</font></div><div><font><br></font></div><div><font>PlugX RAT offers a range of capabilities, including establishing persistence, file discovery, encryption, hiding, keylogging, and screen capturing on compromised systems.</font></div><div><font><br></font></div><div><font>The campaign has been linked to the RedDelta and Mustang Panda threat groups, which have previously conducted similar campaigns and are associated with state-sponsored cyber espionage.</font></div><div><font><br></font></div><div><font>The campaign focuses on sectors such as national security, international affairs, and public administration. These sectors are attractive targets due to the sensitive information and strategic significance they possess.</font></div><div><font><br></font></div><div><font>Regarding the SmugX campaign, it is important to employ up-to-date antivirus and antimalware solutions, apply regular software updates, provide security training to employees, and implement network security measures.</font></div><div><font><br></font></div><div><font>These notes contain important information about the SmugX campaign, its transports and possible countermeasures. For more details and specific measures tailored to your needs, you can seek help from our<a href="https://socradar.io/extended-threat-intelligence/"> SOCRadar Extended Threat Intelligence </a>page.</font></div><div><br></div><div><span style="color: var(--q-dark);"><font><b>CONCLUSIONS</b></font></span><br></div><div><font>Chinese groups have persistently been targeting European government entities and have become part of a larger trend now. Organizations are advised to use the IoCs associated with the campaign to understand the attack pattern and implement effective security measures to detect and remediate unusual activities at the initial stage.</font></div>

Mitigation

<div><b><font>Obfuscated Files or Information: HTML Smuggling</font></b></div><div><div style="font-size: x-large;"><b style=""><font>Other sub-techniques of Obfuscated Files or Information (11)</font></b></div><div style=""><font style="">Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.[1][2]</font></div><div style=""><font>Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. Deobfuscate/Decode Files or Information), potentially bypassing content filters.</font></div><div style=""><font style="">For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.[1][3][2][4]</font></div><div style=""><font style=""><br></font></div><div style=""><div style="font-family: Mazzard;"><font><b>Procedure Examples</b></font></div><div style=""><span id="docs-internal-guid-51a76271-7fff-934b-1c99-60732e3c06d3" style=""><h2 style="font-family: Mazzard; line-height: 1.44; margin-top: 0pt; margin-bottom: 4pt;"></h2><div style="font-family: Mazzard; margin-left: 0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Name</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:43pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0016"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">G0016</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0016"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">APT29</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0016"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">APT29</span></a><span style="font-size: 11pt; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.</span><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0634"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">S0634</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0634"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">EnvyScout</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0634"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">EnvyScout</span></a><span style="font-size: 11pt; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk.</span><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[6]</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0650"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">S0650</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0650"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">QakBot</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0650"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">QakBot</span></a><span style="font-size: 11pt; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has been delivered in ZIP files via HTML smuggling.</span><a href="https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[7]</span></a><a href="https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence"><span style="font-size: 11pt; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr></tbody></table><br></div><div style="font-family: Mazzard; line-height: 1.44; background-color: rgb(255, 255, 255); margin-top: 0pt; margin-bottom: 0pt; padding: 0pt 0pt 4pt;"><span style="color: rgb(57, 67, 76); background-color: transparent; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style=""><font>Mitigations</font></b></span></div><div style=""><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><span id="docs-internal-guid-e4e62334-7fff-5e2f-4708-a1b232d63da8" style=""><p style="color: rgb(57, 67, 76); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-line: none; white-space: pre-wrap; line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font style="">This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.</font></span></p><p style="color: rgb(57, 67, 76); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-line: none; white-space: pre-wrap; line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><b style="background-color: transparent; letter-spacing: -0.00833em;"><font style="">Detection</font></b></p><p style="color: rgb(57, 67, 76); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-line: none; white-space: pre-wrap; line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><span id="docs-internal-guid-bdb3915b-7fff-b29b-42d9-84cd335c9819"></span></span></p><div style="margin-left: 0pt;" align="left"><table style="color: rgb(57, 67, 76); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-line: none; white-space: pre-wrap; border: none; border-collapse: collapse;"><colgroup><col><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#ffffff;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font>ID</font></span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#ffffff;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font>Data Source</font></span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#ffffff;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font>Data Component</font></span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#ffffff;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font>Detects</font></span></p></td></tr><tr style="height:57pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#ffffff;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0022" style=""><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font color="#39434c">DS0022</font></span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#ffffff;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0022" style=""><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font color="#39434c">File</font></span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#ffffff;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0022/#File%20Creation" style=""><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font color="#39434c">File Creation</font></span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#ffffff;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font>Monitor newly constructed files via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.</font></span></p></td></tr></tbody></table><br><font color="#39434c"><span style=""> </span></font></div><div style="margin-left: 0pt;" align="left"><font color="#39434c"><span style=""><b><font>Mitigation Measures:</font></b> <font>To mitigate the risk of SmugX campaign and PlugX RAT attacks, organizations should consider the following measures: Implement robust security measures, including up-to-date antivirus and anti-malware solutions. Apply regular security patches and updates to operating systems and software. Conduct security awareness training for employees to educate them about potential phishing attacks and suspicious email attachments. Employ network segmentation and access controls to limit lateral movement within the network. Monitor network traffic and use intrusion detection systems to detect and block suspicious activity. Maintain up-to-date backups of critical data to mitigate the impact of data loss or ransomware attacks. </font></span></font><font> </font></div><div style="color: rgb(57, 67, 76); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-line: none; white-space: pre-wrap;"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font><br></font></span></div></span></span></div><h2 style="line-height: 1.44; margin-top: 0pt; margin-bottom: 4pt;"><span id="docs-internal-guid-11ce54d4-7fff-dc53-164f-379584d01b98" style=""><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><br></p></span></h2></span></div><div style="font-family: Mazzard; font-size: medium;"><br></div></div><div style="font-family: Mazzard; font-size: x-large; font-weight: bold;"><br></div></div><div><br></div>