Analysis Summary

As part of cyberattacks against Pakistan, a new phishing campaign has been discovered that uses lures with tax themes to deliver a covert backdoor payload. Although they were unable to retrieve the initial email used to initiate the attack, researchers, who are monitoring the activity under the name FLUX#CONSOLE, stated that it most likely begins with a phishing email link or attachment.

The cybersecurity experts said, “One of the more notable aspects of the campaign is how the threat actors leverage MSC (Microsoft Common Console Document) files to deploy a dual-purpose loader and dropper to deliver further malicious payloads.”

It is important to note that researchers have given the misuse of specially constructed management saved console (MSC) files to run malicious code the codename GrimResource. The starting point is a double-extended file (.pdf.msc) that, when launched using the Microsoft Management Console (MMC), pretends to be a PDF file (if the option to display file extensions is turned off). It is intended to run an embedded JavaScript code.

In turn, this code loads a DLL file ("DismCore.dll") in the background while simultaneously fetching and displaying a decoy file. "Tax Reductions, Rebates and Credits 2024," a valid document linked to Pakistan's Federal Board of Revenue (FBR), is one example of a document used in the campaign. The .MSC file can run extra code by contacting a remote HTML file, which also achieves the same objective, in addition to delivering the payload from an embedded and obfuscated text. Scheduled tasks are used to establish persistence.

The primary payload is a backdoor that can establish communication with a distant server and carry out commands from it to steal information from affected systems. The attack was stopped 24 hours after the initial infection, according to researchers. Although the threat actor known as Patchwork has been seen employing a similar tax-related document from FBR in early December 2023, the identity of the malware campaign's perpetrator is still unknown.

The researchers said that although Patchwork might be responsible for the attacks, they were unable to establish reliable links using known TTPs and other telemetry sources to declare attribution with confidence. Although the aforementioned phishing lures appear to be comparable, threat actors have previously been known to piggyback lures, particularly when they involve PDFs or even picture files. However, it would offer more information about their operations and current attack chains if this is the case and Patchwork is behind the cyberattack.

The entire attack chain serves as an example of the difficulties in identifying and evaluating modern malicious code, from the heavily obfuscated JavaScript used in the early phases to the deeply hidden malware code inside the DLL. The use of MSC files as a possible development of the traditional LNK file, which has gained popularity among threat actors in recent years, is another noteworthy feature of this operation. They can execute malicious code and mix in with normal Windows administrative procedures, just like LNK files.

Impact

• Unauthorized Access
• Code Execution
• Data Exfiltration
• Information Theft

Indicators of Compromise

URL

• https://ewh.ieee.org/reg/ccece15/files/ccece-word-sample.pdf

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Encourage users to regularly update their Android devices and install security patches to mitigate vulnerabilities that threat actors may exploit.
• Advocate for the implementation of multi-factor authentication wherever possible to add an extra layer of security, especially for sensitive applications like messaging and financial apps.
• Organizations should conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in their systems and networks.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization to secure its websites and software. Test tools are used to detect any vulnerabilities in the deployed codes.