Chinese APT using PlugX malware on espionage targets

Bronze President, the China-backed advanced persistent threat (APT) group that also goes by the name of Mustang Panda, has been conducting a widespread campaign against targets of interest to Chinese espionage, using documents that spoof official diplomatic notices to lure in their victims.

Observed by the Secureworks Counter Threat Unit (CTU), a series of attacks that unfolded during June and July used a PlugX malware to target the computer systems of government officials in several countries in Europe, the Middle East and South America.

“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored Bronze President threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically themed decoy documents that align with regions where China has interests,” the CTU team said in its write-up.

PlugX is a modular type of malware that calls back to a command and control (C2) server for tasking and, as such, is capable of downloading additional plugins to enhance its capabilities and functionality beyond mere information-gathering, making it particularly dangerous.

In the Bronze President campaign, it arrived at its targets embedded within RAR archive files. Opening this archive on a Windows system with default settings enabled displays a Windows shortcut (LNK) file masquerading as a document.

Alongside this shortcut is a hidden folder containing the malware, which is embedded eight levels deep in a series of hidden folders named with special characters. This tactic is likely a means to try to bypass email-scanning defences that may not look at the whole path when scanning content. In turn, said Secureworks, it suggests the delivery method is phishing emails, as there is no other real benefit to doing this.

To execute the PlugX malware, the user must click the LNK file, ultimately leading to the loading, decryption and execution of the PlugX payload. During this process, the decoy document – an example of which is shown below – is dropped.

The CTU team said the politically themed documents suggested Bronze President’s activities are currently geared towards government officials in various countries of interest to China.

In the above example, a Turkish official is targeted with a notification, supposedly from the British government, of the appointment of a new ambassador (at the time of writing Dominick Chilcott remains the incumbent British ambassador in Ankara). In common with other recent Chinese campaigns, the targeting of Turkey probably reflects its strategic importance in the ongoing battle for Ukraine.

Ukraine has been a key focus for Bronze President, which has been highly active in 2022, supporting China’s intelligence-gathering agenda related to the war. In May, it was observed by Cisco Talos targeting European and Russian entities, also using PlugX, in a similar campaign that spoofed European Union reports on the conflict.

“Bronze President has demonstrated an ability to pivot quickly for new intelligence collection opportunities,” said the Secureworks team. “Organisations in geographic regions of interest to China should closely monitor this group’s activities, especially organisations associated with or operating as government agencies.”

More technical information on this campaign, including indicators of compromise, is available from Secureworks.