State-sponsored hackers linked to the Silk Typhoonactivity cluster targeted diplomats by hijacking web traffic to redirect to a malware-serving website.
The hackers used anadvanced adversary-in-the-middle (AitM) technique to hijack the captive portal of the network and send the target to the first-stage malware.
GoogleThreat Intelligence Group (GTIG) tracks the threat actor as UNC6384 and, based on tooling, targeting, and infrastructure, believes it is associated with the Chinese threat actor TEMP.Hex, also known as Mustang Panda and Silk Typhoon.
Hijacking Chrome requests
GTIG researchers believe that the AitM was possible after compromising an edge device on the target network; however, they did not find evidence to support this theory.
The attack starts when the Chrome browser checks if it is behind a captive portal, which is a web page where users of a network authenticate before connecting to the internet.
With the hackers in a position to hijack web traffic, they redirect the target to alanding page impersonatingan Adobe plugin update site.
Victims download a digitally signed ‘AdobePlugins.exe’ file, presented as a required plugin update, and are directed to step-by-step instructions on the site to bypass Windows security prompts while installing it.
.jpg)
GTIG researchers noted that it is unclear whether the entity that signs the files used in this campaign, Chengdu Nuoxin Times Technology Co., Ltd, is knowingly participating in these operations or was compromised.
However, GTIG tracks at least 25 malware samples signed by this entity since early 2023, associated with various Chinese activity clusters.
Treating all certificates from Chengdu Nuoxin Times Technology Co., Ltd as untrusted is a reasonable defensive action until the situation is clarified.
Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.