Cert2Connect

DarkPeony Carries Out Operation Control Plug

The DarkPeony threat actor executed Operation ControlPlug against military and government agencies in Myanmar the Philippines Mongolia and Serbia. The campaign began with MSC files which when opened displayed a screen prompting users to click a link that executed a PowerShell script. This script remotely downloaded and executed an MSI file containing an EXE DLL and DAT file. The EXE file though legitimate facilitated DLL side-loading which loaded the DLL file to decode and execute the DAT file ultimately running PlugX. MSC files used with Microsoft Management Console exploited their Console Taskpad feature to execute arbitrary commands deceiving users into triggering the PowerShell script. Websites distributing the MSI files used Cloudflare to control access obstructing researchers while targeting specific organizations.
Overzicht

WILT U WETEN HOE DIT RISICO
UITGEBANNEN KAN WORDEN?

Wij helpen je graag. Indien gewenst geven we graag een presentatie of demo van onze oplossingsaanpak. Je vindt ons ook regelmatig op beurzen en events. Volg de evenementenpagina op deze site of meld je aan via de contactpagina voor onze nieuwsbrief.

Maak een afspraak