Operation ControlPlug: Targeted attack campaign using MSC files

June 6, 2024, 3:07 p.m.

Description

An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to execute PowerShell scripts that downloaded and executed malware, ultimately leading to the deployment of PlugX. Access control measures, including the use of Cloudflare, were implemented to restrict access to the distribution sites hosting the MSI payload files. Although instances involving MSC files are currently limited, this tactic may gain traction among multiple threat groups due to its stealthy nature.

External References

https://jp.security.ntt/tech_blog/controlplug
https://otx.alienvault.com/pulse/6661cdd8f88616a01aca8651
Tags
malware
stealthy
apt
plugx
campaign
2024-06-06
korplug
kaba
tvt
destroyrat
thoper
sogu

Date

  • Created: June 6, 2024, 2:55 p.m.
  • Published: June 6, 2024, 2:55 p.m.
  • Modified: June 6, 2024, 3:07 p.m.

Indicators

  • f0aa5a27ea01362dce9ced3685961d599e1c9203eef171b76c855a3db41f1ec6
  • 8c9e1f17e82369d857e5bf3c41f0609b1e75fd5a4080634bc8ae7291ebe2186c
  • e81982e40ee5aaed85817343464d621179a311855ca7bcc514d70f47ed5a2c67
  • 54549745868b27f5e533a99b3c10f29bc5504d01bd0792568f2ad1569625b1fd
  • 1cbf860e99dcd2594a9de3c616ee86c894d85145bc42e55f4fed3a31ef7c2292
  • www.genians.co.kr
  • https://www.genians.co.kr/blog/threat_intelligence/facebook
  • versaillesinfo.com
  • shreyaninfotech.com
  • profilepimpz.com
  • lifeyomi.com
  • lebohdc.com
  • gulfesolutions.com
  • buyinginfo.org
Download all indicators here!

Attack Patterns

  • Kaba
  • Sogu
  • DestroyRAT
  • TVT
  • Thoper
  • PlugX - S0013
  • Korplug
  • DarkPeony
  • T1059.008
  • T1218.005
  • T1218.011
  • T1059.003
  • T1059.001
  • T1572
  • T1059.007
  • T1071.001
  • T1105
  • T1566.001