FLUX#CONSOLE: new malware campaign exploits Windows Management Console

In a sophisticated attack dubbed FLUX#CONSOLE, threat actors are employing tax-themed phishing lures to exploit the Microsoft Management Console (MMC), leveraging .msc files to deliver stealthy backdoor payloads. This technique, which builds on past abuses of .lnk files, represents an evolution in malware distribution strategies aimed at bypassing traditional antivirus defenses.

The campaign

Securonix Threat Research recently analyzed this campaign, revealing how malicious .msc files are masquerading as innocuous PDFs—such as “Income-Tax-Deduction-and-Rebates202441712.pdf”—to deceive users into execution. Once clicked, the .msc file uses advanced obfuscation to deploy and execute malicious DLLs, such as DismCore.dll, via legitimate Windows processes like Dism.exe.

Key Features of the Attack

1. Abuse of .msc files: traditionally harmless configuration files for administrative tools, .msc files are being weaponized to execute embedded JavaScript and VBScript payloads.
2. Masquerading tactics: the malware disguises itself with fake icons resembling standard PDFs, increasing the likelihood of user interaction.
3. Advanced obfuscation: threat actors employ layered obfuscation techniques, hiding payloads within Base64-encoded strings or embedding them in remote and local scripts.
4. Persistence mechanisms: the malware establishes persistence using scheduled tasks, ensuring its operation survives system reboots.
5. Stealthy communication: the attack leverages encrypted communications with command-and-control (C2) servers to exfiltrate data, using encoded traffic to evade detection.

Technical insights

The .msc files contain embedded payloads that, once executed, deploy the malicious DLL DismCore.dll by hijacking the DLL search order of Dism.exe. Obfuscated JavaScript within the file further ensures the delivery and execution of the payload. The campaign also employs scheduled tasks, such as “CoreEdgeUpdateServicesTelemetryFallBack,” to maintain its foothold on compromised systems.

Attribution and targeting

The campaign primarily targets Pakistan, as inferred from document naming conventions and content. However, the tactics, techniques, and procedures (TTPs) do not align with known advanced persistent threat (APT) groups like Sidewinder or Lazarus, suggesting the involvement of a new actor.

Defense recommendations

To mitigate risks from such campaigns, Securonix recommends:

• Avoid downloading attachments or clicking links from untrusted sources.
• Monitor unusual child processes spawned by mmc.exe.
• Enhance endpoint monitoring and logging to detect anomalies in common malware staging directories, such as C:\ProgramData.

The FLUX#CONSOLE campaign underscores the adaptability of modern threat actors in leveraging unconventional attack vectors. By exploiting legitimate Windows tools and employing advanced obfuscation, these attacks highlight the growing challenges for cybersecurity defenses in detecting and neutralizing emerging threats.