A stealthy phishing campaign has been uncovered using tax-related lures to deliver an obfuscated backdoor, targeting systems in Pakistan.
Cybersecurity firm Securonix, tracking this activity under the codename FLUX#CONSOLE, reports that the attack likely begins with a phishing email containing a malicious link or attachment. However, the original email used to initiate the attack could not be retrieved.
Exploiting MSC Files for Malicious Payloads
One of the most distinctive aspects of this campaign is its use of Microsoft Common Console Document (MSC) files. According to researchers Den Iuzvyk and Tim Peck, these files serve as both a loader and a dropper, deploying additional malicious payloads.
The technique, referred to as GrimResource by Elastic Security Labs, leverages MSC files that appear harmless but are actually designed to execute malicious code.
The attackers use files with double extensions (e.g., .pdf.msc), which impersonate legitimate PDF files. If file extensions are hidden on the system, these files appear as standard documents. When launched using Microsoft Management Console (MMC), the embedded JavaScript is executed, initiating the attack chain.
Attack Chain and Payload Delivery
The process begins by retrieving and displaying a decoy file while covertly loading a DLL file (DismCore.dll) in the background. One of the malicious files discovered in this campaign, titled "Tax Reductions, Rebates, and Credits 2024", impersonates an authentic document from Pakistan's Federal Board of Revenue (FBR).
The MSC file not only deploys the backdoor from an obfuscated string but also reaches out to a remote HTML file to execute additional code. This enables attackers to maintain persistence through scheduled tasks.
Capabilities of the Backdoor
The primary payload is a backdoor capable of:
- Establishing communication with a remote command-and-control (C2) server.
- Executing commands received from the server.
- Exfiltrating sensitive data from compromised systems.
Securonix reported that the attack was neutralized within 24 hours of initial infection.
Challenges in Detection
The campaign demonstrates the increasing sophistication of modern malware attacks. The attack chain includes:
- Highly obfuscated JavaScript in the initial stages.
- Concealed malicious code embedded within the DLL payload.
These techniques make detection and analysis significantly more challenging.
A Shift from LNK Files to MSC Files
Researchers also highlighted the evolution of attack techniques, noting that MSC files represent a new alternative to the widely used LNK files. Like LNK files, MSC files allow attackers to execute malicious code while seamlessly integrating into legitimate Windows workflows.
As attackers continue to innovate, organizations must stay vigilant and adopt advanced security measures to detect and prevent such threats.