Hackers Exploit Microsoft Management Console to Drop Backdoor Payloads on Windows

The Securonix Threat Research team has identified a sophisticated phishing campaign targeting tax-related themes, known as the “FLUX#CONSOLE campaign.” This operation employs Microsoft Common Console Document (MSC) files and advanced obfuscation techniques to deliver a stealthy backdoor payload, showcasing the evolving landscape of malicious delivery methods. This shift marks a notable transition from the previously prevalent use of malicious LNK shortcut files.

The Attack Scenario

The attack commences with a phishing email that utilizes tax-themed lures, featuring a seemingly legitimate PDF titled “Income-Tax-Deduction-and-Rebates202441712.pdf.” While this PDF serves as a harmless decoy, it conceals an embedded MSC file that executes malicious payloads in the background. Unlike the traditional LNK files that have dominated malware campaigns, MSC files are increasingly favored for their capability to run embedded scripts masquerading as legitimate Windows administrative tools.

Key Tactics and Techniques

The FLUX#CONSOLE campaign employs a range of advanced methods to evade detection and ensure the successful delivery of its payload. Key tactics include:

• Tax-Themed Lures (T1566): Utilizing files and documents that mimic tax-related content to exploit user trust.
• Exploitation of MSC Files (T1218.014): Malicious MSC files disguised as legitimate administrative tools, executing embedded code upon opening.
• DLL Sideloading Using DISM.exe (T1574.001): The attackers sideload the malicious DLL “DismCore.dll” by exploiting a legitimate Windows process.
• Persistence Through Scheduled Tasks (T1053.005): Regularly scheduled tasks ensure the malware remains active, even after system reboots.
• Advanced Obfuscation Techniques (T1027.010): Multiple layers of obfuscated code, including JavaScript and concealed DLL malware, complicate detection and analysis.

Attack Chain

The user is tricked into opening a malicious MSC file disguised as a PDF (e.g., “ARRVL-PAX-MNFSTPK284-23NOV.pdf.msc”). This MSC file contains embedded XML commands designed to either download or extract a malicious DLL payload named DismCore.dll from within the file or a remote server. Acting as both a loader and dropper, the MSC file dynamically delivers the payload. The DLL is subsequently sideloaded using Dism.exe, a legitimate Windows tool that is copied to a staging directory for execution.

To maintain obfuscation, attackers utilize advanced encryption and code-hiding techniques. For persistence, they create scheduled tasks that execute the malicious payload every five minutes, ensuring long-term control and execution. The malicious DLL (DismCore.dll), loaded via DLL sideloading, communicates with a Command-and-Control (C2) server located at “hxxps://siasat[.]top.” The malware exfiltrates data using encrypted HTTPS traffic to evade detection.

During the research, the attackers maintained “hands-on-keyboard” access for approximately 24 hours, exfiltrating data and potentially preparing for lateral movement. The campaign appears to specifically target victims in Pakistan, as indicated by the tax-themed lures and filenames that mimic official government documents. Although Pakistan has encountered threats from groups such as Sidewinder, Gamaredon, and Lazarus Group, the tactics, techniques, and procedures (TTPs) observed in FLUX#CONSOLE do not align with any known advanced persistent threat (APT) groups.

MSC files represent a growing threat vector. Typically regarded as benign administrative tools, their ability to execute embedded scripts renders them an appealing choice for attackers. By camouflaging these files as PDFs or other common formats and embedding malicious code, threat actors can effectively bypass legacy detection methods.

IOC For SOC/DFIR Teams

C2 and Infrastructure

Analyzed Files/Hashes