Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks
Summary:
The Securonix Threat Research team has been monitoring a new tax-related phishing campaign where threat actors leveraged MSC files and advanced obfuscation techniques to execute a stealthy backdoor payload. Securonix is tracking this activity as FLUX#CONSOLE and the adversary employs tax-themed social engineering lures. The activity observed by Securonix is part of attacks targeting users in Pakistan with the main goal of establishing persistence for espionage and lateral movement. One of the more notable aspects of the campaign is how the threat actors leverage MSC files to deploy a dual-purpose loader and dropper to deliver further malicious payloads. The technique of abusing specially crafted MSC files to execute malicious code has been monikered “GrimResource” by Elastic Security. The attack likely starts with either a phishing email link or attachment and all lure documents are in English. The lure document observed purports to be a general tax document prepared by the Pakistani government. The PDF document itself is benign and is simply used as a distraction as the malware is executed in the background on the victim’s machine. Securonix said the attack was disrupted 24 hours after initial infection. The attacker’s entire infrastructure has been taken offline or they are now operating under a different domain. The domain observed in the campaign that was taken offline is hosted behind Cloudflare’s network, making the gathering of details and metadata difficult for defenders and researchers. While there have been several APT groups that continuously target Pakistan such as Sidewinder, Gamaredon, and Lazarus Group, Securonix states that none of the TTPs found in the FLUX#CONSOLE campaign align with any known TTPs from past campaigns. The main payload is a backdoor capable of setting up contact with a remote server and executing commands sent by it to exfiltrate data from compromised systems. The malware establishes persistence using scheduled tasks.
Security Officer Comments:
The delivery method employed in the FLUX#CONSOLE campaign uses an interesting approach to skirt AV detections. By leveraging MSC files to deliver malicious payloads, they can entice the potential victims to double-click it, which is all the attacker needs to execute malicious code. Both MSC and LNK files are effective initial execution points for phishing attempts, but LNK files are much more commonplace in phishing campaigns. Therefore, this campaign along with the report on GrimResource from Elastic Security marks a potential shift in adversary tactics from the classic LNK file to specially-crafted MSC files. The arsenal of modern obfuscation techniques throughout the attack chain highlights the elaborate nature of this campaign and how important it is for organizations to implement a robust endpoint monitoring solution that can quickly adapt to new threats.
Suggested Corrections:
MITRE ATT&CK TTPs and IOCs are available here.
https://thehackernews.com/2024/12/hackers-use-microsoft-msc-files-to.html
https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/
The Securonix Threat Research team has been monitoring a new tax-related phishing campaign where threat actors leveraged MSC files and advanced obfuscation techniques to execute a stealthy backdoor payload. Securonix is tracking this activity as FLUX#CONSOLE and the adversary employs tax-themed social engineering lures. The activity observed by Securonix is part of attacks targeting users in Pakistan with the main goal of establishing persistence for espionage and lateral movement. One of the more notable aspects of the campaign is how the threat actors leverage MSC files to deploy a dual-purpose loader and dropper to deliver further malicious payloads. The technique of abusing specially crafted MSC files to execute malicious code has been monikered “GrimResource” by Elastic Security. The attack likely starts with either a phishing email link or attachment and all lure documents are in English. The lure document observed purports to be a general tax document prepared by the Pakistani government. The PDF document itself is benign and is simply used as a distraction as the malware is executed in the background on the victim’s machine. Securonix said the attack was disrupted 24 hours after initial infection. The attacker’s entire infrastructure has been taken offline or they are now operating under a different domain. The domain observed in the campaign that was taken offline is hosted behind Cloudflare’s network, making the gathering of details and metadata difficult for defenders and researchers. While there have been several APT groups that continuously target Pakistan such as Sidewinder, Gamaredon, and Lazarus Group, Securonix states that none of the TTPs found in the FLUX#CONSOLE campaign align with any known TTPs from past campaigns. The main payload is a backdoor capable of setting up contact with a remote server and executing commands sent by it to exfiltrate data from compromised systems. The malware establishes persistence using scheduled tasks.
Security Officer Comments:
The delivery method employed in the FLUX#CONSOLE campaign uses an interesting approach to skirt AV detections. By leveraging MSC files to deliver malicious payloads, they can entice the potential victims to double-click it, which is all the attacker needs to execute malicious code. Both MSC and LNK files are effective initial execution points for phishing attempts, but LNK files are much more commonplace in phishing campaigns. Therefore, this campaign along with the report on GrimResource from Elastic Security marks a potential shift in adversary tactics from the classic LNK file to specially-crafted MSC files. The arsenal of modern obfuscation techniques throughout the attack chain highlights the elaborate nature of this campaign and how important it is for organizations to implement a robust endpoint monitoring solution that can quickly adapt to new threats.
Suggested Corrections:
MITRE ATT&CK TTPs and IOCs are available here.
- As this campaign likely started using phishing emails, avoid downloading files or attachments from external sources, especially if the source was unsolicited. Malicious payloads from phishing emails can be delivered as direct attachments or links to external documents to download. Common file types include zip, rar, iso, and pdf.
- As .msc files were leveraged, look for unusual child processes spawning from the legitimate Windows mmc.exe process.
- Monitor common malware staging directories, especially script-related activity in world-writable directories. In the case of this campaign the threat actors staged their operations out of the: C:\\ProgramData directory.
- It is strongly recommended to deploy robust endpoint logging capabilities that can aid in PowerShell detections. This includes leveraging additional process-level logging for additional log detection coverage.
https://thehackernews.com/2024/12/hackers-use-microsoft-msc-files-to.html
https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/