State-sponsored hackers linked to the Silk Typhoon activity cluster targeted diplomats by hijacking web traffic to redirect to a malware-serving website.
The hackers used an advanced adversary-in-the-middle (AitM) technique to hijack the captive portal of the network and send the target to the first-stage malware.
Google Threat Intelligence Group (GTIG) tracks the threat actor as UNC6384 and, based on tooling, targeting, and infrastructure, believes it is associated with the Chinese threat actor TEMP.Hex, also known as Mustang Panda and Silk Typhoon.
Hijacking Chrome requests
GTIG researchers believe that the AitM was possible after compromising an edge device on the target network; however, they did not find evidence to support this theory.
The attack starts when the Chrome browser checks if it is behind a captive portal, which is a web page where users of a network authenticate before connecting to the internet.
With the hackers in a position to hijack web traffic, they redirect the target to a landing page impersonating an Adobe plugin update site.
Victims download a digitally signed ‘AdobePlugins.exe’ file, presented as a required plugin update, and are directed to step-by-step instructions on the site to bypass Windows security prompts while installing it.
Fake site prompting Adobe plugin installation
Source: Google
... continue reading