A new phishing campaign has been observed employing tax-themed lures to deliver a stealthy backdoor payload as part of attacks targeting Pakistan.
Cybersecurity company Securonix, which is tracking the activity under the name FLUX#CONSOLE, said it likely starts with a phishing email link or attachment, although it said it couldn’t obtain the original email used to launch the attack.
“One of the more notable aspects of the campaign is how the threat actors leverage MSC (Microsoft Common Console Document) files to deploy a dual-purpose loader and dropper to deliver further malicious payloads,” security researchers Den Iuzvyk and Tim Peck said.
It’s worth noting that the abuse of specially crafted management saved console (MSC) files to execute malicious code has been codenamed GrimResource by Elastic Security Labs.
The starting point is a file with double extensions (.pdf.msc) that masquerades as a PDF file (if the setting to display file extensions is disabled) and is designed to execute an embedded JavaScript code when launched using the Microsoft Management Console (MMC).
This code, in turn, is responsible for retrieving and displaying a decoy file, while also covertly loading a DLL file (“DismCore.dll”) in the background. One such document used in the campaign is named “Tax Reductions, Rebates and Credits 2024,” which is a legitimate document associated with Pakistan’s Federal Board of Revenue (FBR).
“In addition to delivering the payload from an embedded and obfuscated string, the .MSC file is able to execute additional code by reaching out to a remote HTML file which also accomplishes the same goal,” the researchers said, adding that persistence is established using scheduled tasks.
The main payload is a backdoor capable of setting up contact with a remote server and executing commands sent by it to exfiltrate data from compromised systems. Securonix said the attack was disrupted 24 hours after initial infection.
“From the highly obfuscated JavaScript used in the initial stages to the deeply concealed malware code within the DLL, the entire attack chain exemplifies the complexities of detecting and analyzing contemporary malicious code,” the researchers said.
“Another notable aspect of this campaign is the exploitation of MSC files as a potential evolution of the classic LNK file which has been popular with threat actors over the past few years. Like LNK files, they also allow for the execution of malicious code while blending into legitimate Windows administrative workflows.”
