Full Report
A new phishing campaign has been observed employing tax-themed lures to deliver a stealthy backdoor payload as part of attacks targeting Pakistan. Cybersecurity company Securonix, which is tracking the activity under the name FLUX#CONSOLE, said it likely starts with a phishing email link or attachment, although it said it couldn't obtain the original email used to launch the attack. "One of the
Analysis Summary
# Tool/Technique: FLUX#CONSOLE / MSC File Abuse leading to Backdoor Deployment
## Overview
FLUX#CONSOLE is a threat activity tracked by Securonix that utilizes phishing lures, specifically tax-themed documents, to deploy a stealthy, dual-purpose loader/dropper embedded within Microsoft Management Console (MSC) files. This ultimately results in the deployment of an obfuscated backdoor capable of command execution and data exfiltration on compromised systems in Pakistan. The technique abuses the functionality of `.msc` files to execute malicious code.
## Technical Details
- Type: Backdoor/Loader Mechanism
- Platform: Windows
- Capabilities: Exploits MSC file execution to run embedded JavaScript, loads a malicious DLL (`DismCore.dll`), establishes persistence via scheduled tasks, and communicates with a C2 server to execute commands.
- First Seen: Information not explicitly provided, but context suggests recent activity (December 2024).
## MITRE ATT&CK Mapping
Since the exact stages are complex, the mapping focuses on the initial execution and persistence mechanisms described:
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1566.001 - Phishing: Spearphishing Attachment (Implied initial vector)
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job
## Functionality
### Core Capabilities
- **Initial Access/Execution:** Leverages double-extension files (e.g., `.pdf.msc`) disguised as legitimate documents (like tax forms from Pakistan's FBR).
- **Payload Loading:** When opened via MMC, the MSC file executes embedded, obfuscated JavaScript.
- **Decoy Display:** The JavaScript shows a seemingly legitimate decoy file (like a tax document) to mask malicious activity.
- **Background Loading:** Covertly loads a malicious DLL named `DismCore.dll`.
- **C2 Communication:** The final backdoor establishes communication with a remote server to receive and execute commands.
### Advanced Features
- **Defense Evasion:** Extensive obfuscation is used in the initial JavaScript payload and the malware code within the DLL to complicate detection and analysis.
- **Remote Code Execution:** The backdoor allows threat actors to execute arbitrary commands remotely.
- **Data Exfiltration:** The C2 channel is used to exfiltrate data from compromised hosts.
- **Alternative Execution Path:** The `.MSC` file can also reach out to a remote HTML file to initiate code execution, providing redundancy.
## Indicators of Compromise
- File Hashes: [None provided in the context]
- File Names:
- Double extension file: `.pdf.msc`
- Decoy document example: "Tax Reductions, Rebates and Credits 2024"
- Malicious DLL: `DismCore.dll`
- Registry Keys: [Not specified in the context]
- Network Indicators: [None explicitly provided, C2 servers are remote]
- Behavioral Indicators:
- Execution originating from Microsoft Management Console (MMC).
- Execution of embedded, obfuscated JavaScript from an MSC file.
- Creation of scheduled tasks for persistence.
- Loading of `DismCore.dll`.
## Associated Threat Actors
- Threat actors tracked by Securonix under the name **FLUX#CONSOLE**.
- No specific named nation-state or established APT group was mentioned in the provided text.
## Detection Methods
- **Signature-based detection:** Difficult due to high obfuscation.
- **Behavioral detection:** Crucial for detecting the sequence of events, specifically the execution of JavaScript from an MSC file or the loading of the specific DLL.
- **YARA rules:** [Not available in the context]
## Mitigation Strategies
- **Prevention measures:**
- Implement strict email filtering policies to block suspicious attachments or links.
- Ensure users are aware of social engineering tactics, especially tax-themed lures.
- **Hardening recommendations:**
- Disable or restrict the execution of potentially dangerous file types where possible.
- Implement controls to monitor or restrict the use of Microsoft Management Console (MMC) to launch potentially compromised files.
- Regularly audit systems for newly created scheduled tasks.
## Related Tools/Techniques
- **GrimResource:** The general technique of abusing specially crafted management saved console (MSC) files to execute malicious code, as codenamed by Elastic Security Labs.