A brand new phishing marketing campaign has been noticed using tax-themed lures to ship a stealthy backdoor payload as a part of assaults concentrating on Pakistan.
Cybersecurity firm Securonix, which is monitoring the exercise below the identify FLUX#CONSOLE, mentioned it seemingly begins with a phishing e-mail hyperlink or attachment, though it mentioned it could not receive the unique e-mail used to launch the assault.
“One of many extra notable points of the marketing campaign is how the risk actors leverage MSC (Microsoft Widespread Console Doc) information to deploy a dual-purpose loader and dropper to ship additional malicious payloads,” safety researchers Den Iuzvyk and Tim Peck mentioned.
It is price noting that the abuse of specifically crafted administration saved console (MSC) information to execute malicious code has been codenamed GrimResource by Elastic Safety Labs.
The place to begin is a file with double extensions (.pdf.msc) that masquerades as a PDF file (if the setting to show file extensions is disabled) and is designed to execute an embedded JavaScript code when launched utilizing the Microsoft Administration Console (MMC).
This code, in flip, is accountable for retrieving and displaying a decoy file, whereas additionally covertly loading a DLL file (“DismCore.dll”) within the background. One such doc used within the marketing campaign is known as “Tax Reductions, Rebates and Credit 2024,” which is a authentic doc related to Pakistan’s Federal Board of Income (FBR).
“Along with delivering the payload from an embedded and obfuscated string, the .MSC file is ready to execute extra code by reaching out to a distant HTML file which additionally accomplishes the identical purpose,” the researchers mentioned, including that persistence is established utilizing scheduled duties.
The principle payload is a backdoor able to establishing contact with a distant server and executing instructions despatched by it to exfiltrate knowledge from compromised methods. Securonix mentioned the assault was disrupted 24 hours after preliminary an infection.
It is presently not clear who’s behind the malware marketing campaign, though the risk actor generally known as Patchwork has been beforehand noticed utilizing the same tax-related doc from FBR in early December 2023.
“From the extremely obfuscated JavaScript used within the preliminary levels to the deeply hid malware code inside the DLL, your complete assault chain exemplifies the complexities of detecting and analyzing up to date malicious code,” the researchers mentioned.
“One other notable facet of this marketing campaign is the exploitation of MSC information as a possible evolution of the traditional LNK file which has been widespread with risk actors over the previous few years. Like LNK information, in addition they enable for the execution of malicious code whereas mixing into authentic Home windows administrative workflows.”