A new cyberattack, being tracked as FLUX#CONSOLE, exploits user concerns about tax issues to start an exploit that ends with a Windows management console backdoor payload. Here’s what you need to know about the attack methodology and mitigation.
Analyzing The FLUX#CONSOLE Windows Phishing Attack
Windows phishing attacks are not new. Using tax issues as a lure in such attacks is not new. Even Windows backdoor payloads are, unfortunately, not new. Putting them all together in one attack exploit, however, is far from commonplace. Where the FLUX#CONSOLE campaign breaks relatively unusual ground is, Securonix security researchers Den Luzvyk and Tim Peck, said, in “how the threat actors leverage Microsoft Common Console Document files to deploy a dual-purpose loader and dropper to deliver further malicious payloads.”
The key takeaways from the newly published Securonix FLUX#CONSOLE Windows threat campaign analysis included:
- The attackers used tax-themed document lures to trick victims into downloading and running malicious payloads.
- The attackers used the exploitation of Microsoft Common Console Document files to leverage the legitimate appearance of these to aid with detection evasion.
- A copied legitimate Windows process, Dism.exe, was used to sideload a malicious dynamic-link library file.
- The attackers maintained persistence by the use of scheduled tasks to ensure that the backdoor malware payload stayed active and survived system reboots once installed.
- Multiple layers of obfuscation were employed to sidetrack and complicate forensic analysis and hinder detection, including “highly obfuscated JavaScript, concealed DLL-based malware and C2 communications.”
The Windows Backdoor Exploit Attack Methodology
The attack likely starts with either a phishing email link or attachment, although the researchers were unable to obtain the original email the nomenclature used in the filenames suggested income tax deduction and rebates as the bait. The threat actors exploited Microsoft Management Console “snap-in files” that are ordinarily used for configuration of administrative tools in Windows; think Event Viewer, Task Scheduler and Device Manager, for example. “When double-clicked,” the analysis stated, “an .msc file automatically launches the MMC framework (mmc.exe) and executes the contained instructions.” This includes executing arbitrary code without explicit user consent. The researchers said that code execution began when the user double-clicked on a file called “Inside ARRVL-PAX-MNFSTPK284-23NOV.pdf.msc,” in the example they quoted, which masquerades as a PDF. This obfuscation was aided by the fact that “the setting for common extension visibility is disabled by default in modern versions of Windows,” the researchers said. What’s more, that obfuscation runs to avoiding antivirus detection, it would appear, with the malicious file .msc file only scoring “3/62 positive detections according to VirusTotal,” at the time of writing, according to the report.
Mitigating The Windows FLUX#CONSOLE Attack Campaign
The FLUX#CONSOLE campaign highlights the persistent use of modern obfuscation techniques in malware development, the Securonix analysis concluded, and “serves as a reminder of the evolving tactics employed by threat actors and the growing challenges faced by defenders in mitigating these sophisticated threats.”
I have reached out to Microsoft for a statement.
To mitigate the Windows backdoor threat this campaign poses, Securonix recommended users avoid downloading files or attachments from external sources, especially if the source was unsolicited. “As .msc files were leveraged,” the researchers said, “look for unusual child processes spawning from the legitimate Windows mmc.exe process.” Securonix also strongly recommended the deployment of “robust endpoint logging capabilities to aid in PowerShell detections,” including “leveraging additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.”
