A brand new phishing marketing campaign has been noticed using tax-themed lures to ship a stealthy backdoor payload as a part of assaults concentrating on Pakistan.
Cybersecurity firm Securonix, which is monitoring the exercise beneath the identify FLUX#CONSOLE, stated it doubtless begins with a phishing e mail hyperlink or attachment, though it stated it could not receive the unique e mail used to launch the assault.
“One of the more notable aspects of the campaign is how the threat actors leverage MSC (Microsoft Common Console Document) files to deploy a dual-purpose loader and dropper to deliver further malicious payloads,” safety researchers Den Iuzvyk and Tim Peck stated.
It is price noting that the abuse of specifically crafted administration saved console (MSC) information to execute malicious code has been codenamed GrimResource by Elastic Safety Labs.
The start line is a file with double extensions (.pdf.msc) that masquerades as a PDF file (if the setting to show file extensions is disabled) and is designed to execute an embedded JavaScript code when launched utilizing the Microsoft Administration Console (MMC).
This code, in flip, is chargeable for retrieving and displaying a decoy file, whereas additionally covertly loading a DLL file (“DismCore.dll”) within the background. One such doc used within the marketing campaign is known as “Tax Reductions, Rebates and Credits 2024,” which is a professional doc related to Pakistan’s Federal Board of Income (FBR).
“In addition to delivering the payload from an embedded and obfuscated string, the .MSC file is able to execute additional code by reaching out to a remote HTML file which also accomplishes the same goal,” the researchers stated, including that persistence is established utilizing scheduled duties.
The principle payload is a backdoor able to organising contact with a distant server and executing instructions despatched by it to exfiltrate knowledge from compromised programs. Securonix stated the assault was disrupted 24 hours after preliminary an infection.
It is at the moment not clear who’s behind the malware marketing campaign, though the risk actor often known as Patchwork has been beforehand noticed utilizing an identical tax-related doc from FBR in early December 2023.
Securonix instructed The Hacker Information that whereas it is “definitely possible” Patchwork may very well be behind the assaults, it stated it was unable to construct stable connections based mostly on recognized TTPs and different telemetry sources to confidently state attribution.
“The referenced phishing lures look similar, however we’ve seen threat actors piggy back lures before in the past, especially with either PDFs or even image file lures,” Peck, senior risk researcher at Securonix, stated. “However, if this is the case and Patchwork is responsible, it would provide further insights into their operations and current attack chains.”
“From the highly obfuscated JavaScript used in the initial stages to the deeply concealed malware code within the DLL, the entire attack chain exemplifies the complexities of detecting and analyzing contemporary malicious code,” the researchers stated.
“Another notable aspect of this campaign is the exploitation of MSC files as a potential evolution of the classic LNK file which has been popular with threat actors over the past few years. Like LNK files, they also allow for the execution of malicious code while blending into legitimate Windows administrative workflows.”
