Description
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to execute PowerShell scripts that downloaded and executed malware, ultimately leading to the deployment of PlugX. Access control measures, including the use of Cloudflare, were implemented to restrict access to the distribution sites hosting the MSI payload files. Although instances involving MSC files are currently limited, this tactic may gain traction among multiple threat groups due to its stealthy nature.
Date
| Published | Created | Modified |
|---|---|---|
| June 6, 2024, 2:55 p.m. | June 6, 2024, 2:55 p.m. | June 6, 2024, 3:07 p.m. |
Indicators
f0aa5a27ea01362dce9ced3685961d599e1c9203eef171b76c855a3db41f1ec6
8c9e1f17e82369d857e5bf3c41f0609b1e75fd5a4080634bc8ae7291ebe2186c
e81982e40ee5aaed85817343464d621179a311855ca7bcc514d70f47ed5a2c67
54549745868b27f5e533a99b3c10f29bc5504d01bd0792568f2ad1569625b1fd
1cbf860e99dcd2594a9de3c616ee86c894d85145bc42e55f4fed3a31ef7c2292
www.genians.co.kr
https://www.genians.co.kr/blog/threat_intelligence/facebook
Attack Patterns
Kaba
Sogu
DestroyRAT
TVT
Thoper
PlugX - S0013
Korplug
DarkPeony
T1059.008
T1218.005
T1218.011
T1059.003
T1059.001
T1572
T1059.007
T1071.001
T1105
T1566.001