The Chinese cyber threat UNC6384 was already known to target diplomats in Southeast Asia. Now it appears that the group is also interested in European countries. For two months, UNC6384 attacked Dutch, Belgian, Italian, Hungarian, and Serbian targets. Compromises were made via a Windows vulnerability that has been known for some time.
The vulnerability exploited is ZDI-CAN-25373. We wrote about it in March, when it became clear that Microsoft was not going to do anything about it. A Trend Micro researcher stated at the time that a solution would be “incredibly difficult.” It involves sending malicious .lnk files, shortcuts that contain commands to download malware. Once again, a cyber attacker, namely UNC6384, appears to be exploiting this problem.
The campaign by the Chinese attacker, also known as “Mustang Panda,” began with spearphishing emails that reached executives in diplomatic services. These emails contained the malicious .lnk files, packaged as invitations to European Commission meetings and NATO workshops. Using hidden PowerShell commands, they loaded the PlugX remote access trojan (RAT).
The attack chain contains more layers than that. After executing the .lnk file, a tar archive is decrypted containing a legitimate Canon tool, including a valid digital signature. This is abused via DLL side-loading to execute malicious code. The RC4-encrypted PlugX file then runs in memory within the trusted Canon process.
