A group of Chinese hackers has been credited with a new campaign aimed at infecting government officials in Europe, the Middle East and South America with a modular malware known as PlugX.
Cybersecurity firm Secureworks said it identified the intrusions in June and July 2022, demonstrating once again the adversary’s continued focus on espionage against governments around the world.
“PlugX is modular malware that contacts a command and control (C2) server for tasks and can download additional plugins to enhance its capability beyond basic information gathering,” the Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.
Bronze President is a China-based threat actor active since at least July 2018 and is likely a state-sponsored group that uses a mix of proprietary and publicly available tools to compromise and collect data from targets. his.
It is also publicly documented under other names such as HoneyMyte, Mustang Panda, Red Lich and Temp.Hex. One of his main tools of choice is PlugX, a remote access trojan that has been widely distributed among Chinese dissident collectives.
Earlier this year, the group was spotted targeting Russian government officials with an updated version of the PlugX backdoor called Hodur, along with entities located in Asia, the European Union and the US.
Secureworks’ attribution for the recent campaign for Bronze President stems from the use of PlugX and politically themed lures matching regions of strategic importance to China.
Attack chains distribute RAR archive files containing a Windows Shortcuts (.LNK) file disguised as a PDF document, opening which executes a legitimate file present in a hidden folder located within the archive.
This then paves the way for a decoy document to be dropped while the PlugX payload establishes persistence on the infected host.
“The Bronze President has demonstrated an ability to move quickly to new intelligence gathering opportunities,” the researchers said. “Organizations in geographic regions of interest to China should closely monitor the activities of this group, especially organizations affiliated with or acting as government agencies.”
