Summary:
In a recent analysis, the suspected Chinese cyber-espionage group DarkPeony has been linked to the use of SSL/TLS certificates associated with PlugX command and control nodes. The investigation revealed multiple suspicious certificates and domains, indicating a persistent operational pattern. This post aims to provide insights for defenders to identify and mitigate potential threats from this group.
#DarkPeony #PlugX #CyberEspionage
In a recent analysis, the suspected Chinese cyber-espionage group DarkPeony has been linked to the use of SSL/TLS certificates associated with PlugX command and control nodes. The investigation revealed multiple suspicious certificates and domains, indicating a persistent operational pattern. This post aims to provide insights for defenders to identify and mitigate potential threats from this group.
#DarkPeony #PlugX #CyberEspionage
Keypoints:
- DarkPeony is a suspected Chinese cyber-espionage group targeting government and military organizations.
- The group has been observed using PlugX malware in campaigns across several countries.
- SSL/TLS certificates linked to DarkPeony show recurring use of ‘AES’ in the organizational unit field.
- Infrastructure providers in Hong Kong are frequently utilized by DarkPeony.
- Domain registration patterns suggest attempts to obfuscate malicious activities.
- Several IP addresses and domains have been identified as part of DarkPeony’s infrastructure.
- Security teams are encouraged to proactively hunt for emerging infrastructure linked to DarkPeony.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Credential Dumping (T1003): Extracts account login and password information from operating systems and software.
- Data Encrypted for Impact (T1486): Encrypts data to disrupt availability and demand ransom for decryption.
- Obfuscated Files or Information (T1027): Hides malicious files or information to evade detection.
IoC:
- [domain] buyinginfo[.]org
- [ip address] 103.107.105[.]81
- [ip address] 96.43.101[.]248
- [ip address] 223.26.52[.]245
- [ip address] 146.66.215[.]19
- [domain] councilofwizards[.]com
- [ip address] 45.32.105[.]184
- [domain] thelocaltribe[.]com
- [ip address] 149.104.2[.]160
- [domain] smldatacenter[.]com
- [ip address] 202.91.36[.]213
- [domain] kentscaffolders[.]com
- [domain] loginge[.]com
- [file name] Meeting Invitation.msc
- [file hash] SHA-256: 397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c
Full Research: https://hunt.io/blog/darkpeony-certificate-patterns