free counter

Chinese APT using PlugX malware on espionage targets

santiago silver – Fotolia

Chinas Bronze President APT is once more targeting government officials of interest to its paymasters, this time around using forged diplomatic correspondence, based on the Secureworks Counter Threat Unit

Alex Scroxton


Published: 08 Sep 2022 12: 00

Bronze President, the China-backed advanced persistent threat (APT) group that also goes on the name of Mustang Panda, has been conducting a widespread campaign against targets of interest to Chinese espionage, using documents that spoof official diplomatic notices to lure within their victims.

Observed by the Secureworks Counter Threat Unit (CTU), a number of attacks that unfolded during June and July used a PlugX malware to focus on the personal computers of government officials in a number of countries in Europe, the center East and SOUTH USA.

Several characteristics of the campaign indicate that it had been conducted by the likely Chinese government-sponsored Bronze President threat group, like the usage of PlugX, file paths and naming schemes used by the threat group, the current presence of shellcode in executable file headers, and politically themed decoy documents that align with regions where China has interests, the CTU team said in its write-up.

PlugX is really a modular kind of malware that calls back again to a command and control (C2) server for tasking and, therefore, is with the capacity of downloading additional plugins to improve its capabilities and functionality beyond mere information-gathering, rendering it particularly dangerous.

In the Bronze President campaign, it attained its targets embedded within RAR archive files. Opening this archive on a Windows system with default settings enabled displays a Windows shortcut (LNK) file masquerading as a document.

Alongside this shortcut is really a hidden folder containing the malware, that is embedded eight levels deep in some hidden folders named with special characters. This plan is likely a way to make an effort to bypass email-scanning defences that could not consider the whole path when scanning content. Subsequently, said Secureworks, it suggests the delivery method is phishing emails, as there is absolutely no other real benefit to achieving this.

To execute the PlugX malware, an individual must click on the LNK file, ultimately resulting in the loading, decryption and execution of the PlugX payload. In this process, the decoy document a good example of that is shown below is dropped.

The CTU team said the politically themed documents suggested Bronze Presidents activities are intended for government officials in a variety of countries of interest to China.

In the aforementioned example, a Turkish official is targeted with a notification, supposedly from the British government, of the appointment of a fresh ambassador (during writing Dominick Chilcott remains the incumbent British ambassador in Ankara). In keeping with other recent Chinese campaigns, the targeting of Turkey probably reflects its strategic importance in the ongoing battle for Ukraine.

Ukraine is a key focus for Bronze President, which includes been highly active in 2022, supporting Chinas intelligence-gathering agenda linked to the war. IN-MAY, it had been observed by Cisco Talos targeting European and Russian entities, also using PlugX, in an identical campaign that spoofed EU reports on the conflict.

Bronze President has demonstrated an capability to pivot quickly for new intelligence collection opportunities, said the Secureworks team. Organisations in geographic parts of interest to China should closely monitor this groups activities, especially organisations connected with or operating as government agencies.

More technical info on this campaign, including indicators of compromise, can be acquired from Secureworks.

Read more on Hackers and cybercrime prevention

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker