Hackers Exploit Microsoft Management Console to Drop Backdoor on Windows

Securonix Threat Research team has uncovered a sophisticated tax-related phishing campaign that employs Microsoft Common Console Document (MSC) files and advanced obfuscation techniques to deliver a stealthy backdoor payload.

Dubbed the “FLUX#CONSOLE campaign,” this attack demonstrates the continued evolution of malicious delivery methods, potentially marking a shift from the widespread use of malicious LNK shortcut files.

The Attack Scenario

The attack begins with a phishing email featuring tax-themed lures, such as a seemingly legitimate PDF titled “Income-Tax-Deduction-and-Rebates202441712.pdf.”

While the PDF itself is harmless and functions as a decoy, the embedded MSC file executes malicious payloads in the background.

Unlike LNK files, which have been a staple in malware campaigns for years, MSC files are being increasingly leveraged for their ability to execute embedded scripts under the guise of legitimate Windows administrative tools.

Key Tactics and Techniques

The FLUX#CONSOLE campaign uses multiple advanced methods to evade detection and ensure successful payload delivery. Some of the tactics include:

• Tax-Themed Lures (T1566): Files and documents mimic tax-related content, preying on users’ trust.
• Exploitation of MSC Files (T1218.014): Malicious MSC files are disguised as legitimate administrative tools, executing embedded code when opened.
• DLL Sideloading Using DISM.exe (T1574.001): The attackers sideload the malicious DLL “DismCore.dll” by exploiting a legitimate Windows process.
• Persistence Through Scheduled Tasks (T1053.005): Regularly scheduled tasks ensure malware remains active, even after system reboots.
• Advanced Obfuscation Techniques (T1027.010): Multiple layers of obfuscated code, including JavaScript and concealed DLL malware, complicate detection and analysis.

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

Attack Chain

A user is deceived into opening a malicious MSC file, which is disguised as a PDF (e.g., “ARRVL-PAX-MNFSTPK284-23NOV.pdf.msc”). The MSC file contains embedded XML commands designed to either download or extract a malicious DLL payload, named DismCore.dll, from within the file or a remote server.

Acting as a dual-purpose loader and dropper, the MSC file dynamically delivers the payload. The DLL is then sideloaded using Dism.exe, a legitimate Windows tool that is copied to a staging directory for execution.

To ensure obfuscation, the attackers employ advanced encryption and code-hiding techniques. For persistence, scheduled tasks are created to execute the malicious payload every five minutes, enabling long-term control and execution.

The malicious DLL (DismCore.dll) loaded via DLL sideloading communicates with a Command-and-Control (C2) server hosted at “hxxps://siasat[.]top.” The malware exfiltrates data using encrypted HTTPS traffic to evade detection.

During the research, attackers maintained “hands-on-keyboard” access for approximately 24 hours, exfiltrating data and potentially preparing for lateral movement.

The campaign appears to target victims in Pakistan, as suggested by the tax-themed lures and filenames mimicking official government documents.

While Pakistan has faced threats from groups such as Sidewinder, Gamaredon, and Lazarus Group, the tactics, techniques, and procedures (TTPs) observed in FLUX#CONSOLE do not align with any known advanced persistent threat (APT) groups.

MSC files represent a growing threat vector. Typically used as harmless administrative tools, their ability to execute embedded scripts makes them an attractive option for attackers.

By disguising these files as PDFs or other common types and embedding malicious code, threat actors bypass legacy detection methods.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

IOC For SOC/DFIR Teams

C2 and infrastructure

Analyzed files/hashes