Operation ControlPlug: APT Attack Campaign abusing MSC file
Contents
This article is English version of âOperation ControlPlug: MSCãã¡ã¤ã«ã使ã£ãæ¨çåæ»æãã£ã³ãã¼ã³â translated by Ryu Hiyoshi, NTTSH SOC analyst.
The original article was authored by our SOC analysts, Rintaro Koike.
Introduction
Since April 2024, abusing MSC file by Kimsuky has been reported [1]. As of late May, we confirmed that DarkPeony, the attacking group we have been researching, started using MSC files in their attacks.
We named this attacking campaign by DarkPeony as âOperation ControlPlugâ. According to our research, its targets include but not limited to military or government agencies of Myanma, Philippines, Mongol, and Serbia. Since attacks abusing MSC file are not generally known, many security products or solutions canât detect them.
In this article, weâll introduce the attack flow of Operation ControlPlug campaign, and how attackers abuse MSC file.
Attack flow
In Operation ControlPlug, MSC file is used as initial attacking vector. As soon as a user opens the MSC file, the following screen appears. A Powershell script …
The original article was authored by our SOC analysts, Rintaro Koike.
Introduction
Since April 2024, abusing MSC file by Kimsuky has been reported [1]. As of late May, we confirmed that DarkPeony, the attacking group we have been researching, started using MSC files in their attacks.
We named this attacking campaign by DarkPeony as âOperation ControlPlugâ. According to our research, its targets include but not limited to military or government agencies of Myanma, Philippines, Mongol, and Serbia. Since attacks abusing MSC file are not generally known, many security products or solutions canât detect them.
In this article, weâll introduce the attack flow of Operation ControlPlug campaign, and how attackers abuse MSC file.
Attack flow
In Operation ControlPlug, MSC file is used as initial attacking vector. As soon as a user opens the MSC file, the following screen appears. A Powershell script …
IoC
1cbf860e99dcd2594a9de3c616ee86c894d85145bc42e55f4fed3a31ef7c2292
https://www.genians.co.kr/blog/threat_intelligence/facebook
http://lebohdc.com
e81982e40ee5aaed85817343464d621179a311855ca7bcc514d70f47ed5a2c67
http://versaillesinfo.com
8c9e1f17e82369d857e5bf3c41f0609b1e75fd5a4080634bc8ae7291ebe2186c
http://gulfesolutions.com
http://lifeyomi.com
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/mmc/mmc-console-taskpad
http://buyinginfo.org
f0aa5a27ea01362dce9ced3685961d599e1c9203eef171b76c855a3db41f1ec6
http://profilepimpz.com
54549745868b27f5e533a99b3c10f29bc5504d01bd0792568f2ad1569625b1fd
http://shreyaninfotech.com
https://www.genians.co.kr/blog/threat_intelligence/facebook
http://lebohdc.com
e81982e40ee5aaed85817343464d621179a311855ca7bcc514d70f47ed5a2c67
http://versaillesinfo.com
8c9e1f17e82369d857e5bf3c41f0609b1e75fd5a4080634bc8ae7291ebe2186c
http://gulfesolutions.com
http://lifeyomi.com
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/mmc/mmc-console-taskpad
http://buyinginfo.org
f0aa5a27ea01362dce9ced3685961d599e1c9203eef171b76c855a3db41f1ec6
http://profilepimpz.com
54549745868b27f5e533a99b3c10f29bc5504d01bd0792568f2ad1569625b1fd
http://shreyaninfotech.com