HTML smuggling as a method to bypass network detection.

The PlugX activity targets foreign policy entities in Europe, mainly Eastern Europe, by using HTML Smuggling. HTML Smuggling is a method used by hackers to conceal harmful payloads within HTML documents. The SmugX email campaign uses HTML Smuggling to download a JavaScript or a ZIP file. This creates a long infection chain that ultimately results in the victim being infected with PlugX.

Adversaries have used HTML smuggling for a while. Still, it has become more common since Microsoft blocked other popular methods of sneaking malware onto systems, like default-blocking macros in Word documents.

Lure for European politicians

The Attackers primarily focused on European domestic and foreign policy and were mainly used by Eastern and Central European governmental organizations.

Most of the documents found had content related to diplomacy, with some specifically concerning China and human rights. Furthermore, the names of the files imply that the targets were likely government officials and diplomats.

Attack on the European government

The attackers implemented HTML smuggling to enable downloading a JavaScript or ZIP file onto a compromised system. In the case of a ZIP archive, it includes a harmful LNK file that triggers PowerShell. On the other hand, if a JavaScript file is utilized, it will download and activate an MSI file from the attackers’ server.

After infecting a system, the DLL decrypts the PlugX malware. This malware can conduct several harmful activities, such as capturing screenshots, logging keystrokes, executing commands, and extracting files. A legitimate executable is hijacked and downloaded during the infection process to ensure that the malware remains on the system. The malware then duplicates the fair program and DLL, storing them in a hidden directory. The malware adds the legitimate program to the Run registry key to maintain persistence.

Is it possible to evade PlugX infection?

Potential targets of such attacks must prioritize defense. In a significant cyber attack, resetting the organization’s cyber security approach and posture is recommended. Every organization must reflect on its actions and decisions following a considerable spell. Though, it should be a lesson not only for governmental services but also for companies.

• Regularly update the systems. It is essential to regularly update your operating systems, software, and applications with the latest security patches and updates to fix known vulnerabilities.
• To enhance your security measures, it is necessary to revamp the cybersecurity training provided to government officials.
• A unique role for such organizations is the Zero Trust principles, so you can completely change the state of affairs in security.
• Implementing strict access controls such as strong passwords, multi-factor authentication (MFA), and role-based access control is essential to prevent unauthorized access to sensitive data and systems.

To minimize the risk of attacks, companies should implement various security measures. These include adopting robust security strategies, such as the Zero Trust model, regularly updating and patching systems, providing thorough security awareness training, implementing strict access controls, segmenting networks, using advanced threat detection tools, regularly backing up data, conducting security assessments, and utilizing third-party security services. By taking these steps, companies can significantly reduce their vulnerability to attacks.

The post PlugX malware attacks European diplomats appeared first on Gridinsoft Blog.

1. Name the thing you are going for.

Any pointless activity is at least not very productive. In the case of OSINT, having no target in the investigation makes it just an eternal netstalking event for you. Knowing the exact type of information will not only define where you are about to stop, but also decrease the number of tools you are about to use. Not all OSINT tools are free – ones designed for the detailed analysis of the logs you’ve found may cost a pretty big sum of money. Hence, you will possibly save your money as well.

2. Choose the sources.

Having the defined target, you are good to determine what kind of sources you will use. Social networks of different types will provide you with different data. Searches in Google may also give you some interesting facts; using specific resources with the information about entrepreneurship will give you the other portion of pretty confidential information. If you know the other places where the info may be posted (the site of the university, clinic, etc) – you are good to go.

• Facebook, Instagram and Twitter will arm you with info about the subject’s opinion on certain topics, and recent activities. In particular, Instagram can show you the locations where the subject was last time. Friend Lists in all of these networks will give you the info about personalities from the subject’s life
  When we are talking about searching the information on a certain topic, hashtags in those networks will ease your job by orders of magnitude.
• Instagram, Pinterest will show you the interests of the subject. Preferred types of pictures, favourite colour combinations, beloved animals and clothing styles. If you want to surprise a girlfriend – these are the best places to search for ideas.

• Facebook and LinkedIn are the places where people often leave the information about their employment. The last one is created specifically for that purpose, so if you want to know where the subject is (or was) working – here you go.

3. Choosing the instruments

In social networks, you will likely find information that does not need any processing. Names, locations, facts – all these things are ready for you to take them into account. However, not all things you’ll find during the operation will be so easy to analyse. For photos, geotags, some toponyms and metadata you will need to use additional software. Fortunately, the vast majority of programs for that purpose are free.

Digital photos may contain a lot of information, both on the exact composition and in the metadata. On the photo you can spot the sightseeings, shops or cafes that may uncover the location where the photo was taken. Buildings may also be the tip to uncover the place: with the use of specific tools, based on neural network analysis, you can get the precise location of that place – of course, with a chance to miss. EagleEye is one of the most esteemed free tools for picture analysis.

Some websites are offering the full kit of different tools for open-source intelligence. Sites like OSINT Framework offer dozens of tools, up to 3-5 instruments for each reconnaissance surface. Combining them will bring you much wider and more relevant information. It is also important to note that a lot of tools for OSINT you can find on the web are open-source and available only for Linux.

4. Safety rules

OSINT can easily be classified as spying or netstalking, depending on who’s judging. One may say that these things are not so bad, but the majority of people will say that it is amoral. That’s why it is better to use OSINT only in cases when you are not intended to contact the subject. However, the fact that you tried to find some information on someone during the course of OSINT events will not likely be detected if you will keep it a secret.

OSINT is stealthy, contrary to the classic reconnaissance methods, which still may be detected. But saying things like “I’ve seen that in your photo” when there are no really remarkable things on it will definitely point at your investigation. If the subject will check it out, of course. Sure, for just collecting the information from open sources you will not be held accountable. However, society may react sharply in that case.

5. Compiling the collected information

After having the full kit of information you may need, it’s time to compile it into a one piece, that will answer the question that pushed you to this investigation. It is similar to a jigsaw puzzle, or the mosaic – get all particles conjuncted and you will get a picture. After the successful OSINT event, you may have the full dossier on the person, or the complete information about the event. Analysing the information may be not very easy, but, again – when you know what you were going for, and made a right choice on the OSINT tools – you will likely get the information in a pretty easy-to-analyse form.

Some of the OSINT tools (and ones advised above) can already output the information in the readable form. However, some give you just raw data, which still needs the additional processing. Doing it yourself, or applying some other programs for making it structured – that is only your choice. Both of these methods may give you an acceptable result, but manual analysis will shape the results in the form that is most suitable for you.

The post Working Tips and Recommendation: How to Use OSINT appeared first on Gridinsoft Blog.