A new phishing campaign has been observed employing tax-themed lures to deliver a stealthy backdoor payload as part of attacks targeting Pakistan.
Cybersecurity company Securonix, which is tracking the activity under the name FLUX#CONSOLE, said it likely starts with a phishing email link or attachment, although it said it couldn’t obtain the original email used to launch the attack.
“One of the more notable aspects of the campaign is how the threat actors leverage MSC (Microsoft Common Console Document) files to deploy a dual-purpose loader and dropper to deliver further malicious payloads,” security researchers Den Iuzvyk and Tim Peck said.
It’s worth noting that the abuse of specially crafted management saved console (MSC) files to execute malicious code has been codenamed GrimResource by Elastic Security Labs.
The starting point is a file with double extensions (.pdf.msc) that masquerades as a PDF file (if the setting to display file extensions is disabled) and is designed to execute an embedded JavaScript code when launched using the Microsoft Management Console (MMC).
This code, in turn, is responsible for retrieving and displaying a decoy file, while also covertly loading a DLL file (“DismCore.dll”) in the background. One such document used in the campaign is named “Tax Reductions, Rebates and Credits 2024,” which is a legitimate document associated with Pakistan’s Federal Board of Revenue (FBR).
“In addition to delivering the payload from an embedded and obfuscated string, the .MSC file is able to execute additional code by reaching out to a remote HTML file which also accomplishes the same goal,” the researchers said, adding that persistence is established using scheduled tasks.
The main payload is a backdoor capable of setting up contact with a remote server and executing commands sent by it to exfiltrate data from compromised systems. Securonix said the attack was disrupted 24 hours after initial infection.
It’s currently not clear who is behind the malware campaign, although the threat actor known as Patchwork has been previously observed using a similar tax-related document from FBR in early December 2023.
Securonix told The Hacker News that while it’s “definitely possible” Patchwork could be behind the attacks, it said it was unable to build solid connections based on known TTPs and other telemetry sources to confidently state attribution.
“The referenced phishing lures look similar, however we’ve seen threat actors piggy back lures before in the past, especially with either PDFs or even image file lures,” Peck, senior threat researcher at Securonix, said. “However, if this is the case and Patchwork is responsible, it would provide further insights into their operations and current attack chains.”
“From the highly obfuscated JavaScript used in the initial stages to the deeply concealed malware code within the DLL, the entire attack chain exemplifies the complexities of detecting and analyzing contemporary malicious code,” the researchers said.
“Another notable aspect of this campaign is the exploitation of MSC files as a potential evolution of the classic LNK file which has been popular with threat actors over the past few years. Like LNK files, they also allow for the execution of malicious code while blending into legitimate Windows administrative workflows.”