Today > | 7 High | 13 Medium | 5 Low vulnerabilities   -   You can now download lists of IOCs here!

Operation ControlPlug: Targeted attack campaign using MSC files

June 6, 2024, 3:07 p.m.

Description

An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to execute PowerShell scripts that downloaded and executed malware, ultimately leading to the deployment of PlugX. Access control measures, including the use of Cloudflare, were implemented to restrict access to the distribution sites hosting the MSI payload files. Although instances involving MSC files are currently limited, this tactic may gain traction among multiple threat groups due to its stealthy nature.

Date

Published: June 6, 2024, 2:55 p.m.

Created: June 6, 2024, 2:55 p.m.

Modified: June 6, 2024, 3:07 p.m.

Indicators

f0aa5a27ea01362dce9ced3685961d599e1c9203eef171b76c855a3db41f1ec6

8c9e1f17e82369d857e5bf3c41f0609b1e75fd5a4080634bc8ae7291ebe2186c

e81982e40ee5aaed85817343464d621179a311855ca7bcc514d70f47ed5a2c67

54549745868b27f5e533a99b3c10f29bc5504d01bd0792568f2ad1569625b1fd

1cbf860e99dcd2594a9de3c616ee86c894d85145bc42e55f4fed3a31ef7c2292

www.genians.co.kr

https://www.genians.co.kr/blog/threat_intelligence/facebook

versaillesinfo.com

shreyaninfotech.com

profilepimpz.com

lifeyomi.com

lebohdc.com

gulfesolutions.com

buyinginfo.org

Attack Patterns

Kaba

Sogu

DestroyRAT

TVT

Thoper

PlugX - S0013

Korplug

DarkPeony

T1059.008

T1218.005

T1218.011

T1059.003

T1059.001

T1572

T1059.007

T1071.001

T1105

T1566.001