FLUX#CONSOLE Campaign: Tax-Themed Phishing Hides Malware
During the investigation into the FLUX#CONSOLE campaign, specialists at Securonix identified novel approaches to malware dissemination, leveraging phishing emails with tax-related themes and exploiting MSC (Microsoft Common Console Document) files. Disguised as PDF documents, these files facilitate the download and execution of concealed malicious DLL libraries.
The phishing attacks commence with users downloading attachments or clicking on links embedded in the emails. One example is the document titled “Income-Tax-Deduction-and-Rebates202441712.pdf,” purportedly linked to tax matters in Pakistan. Although the PDF itself is harmless, it distracts users while the MSC file surreptitiously executes the malware download.
Malicious MSC files exploit the legitimate Microsoft Management Console (MMC) interface to execute embedded scripts, enabling attackers to bypass antivirus defenses. The identified file initiated the download of the “DismCore.dll” library through path hijacking of the system utility “DISM.exe,” ensuring the execution of malicious code.
The campaign employs advanced obfuscation techniques. For instance, the code within MSC files conceals its presence using JavaScript obfuscation and hidden tasks within the Windows Task Scheduler. One method involves leveraging user interface elements that remain invisible to the victim.
Experts highlight the challenge of detecting such attacks due to their low antivirus detection rates. For example, the MSC file triggered only three positive detections out of 62 scans on VirusTotal. The attack’s resilience is bolstered by its multi-layered structure: if one method of payload delivery fails, alternative mechanisms are deployed.
The FLUX#CONSOLE campaign primarily targeted users in Pakistan, as evidenced by the bait content and file naming conventions. However, the use of MSC files suggests a potential expansion of the threat beyond the region.
To mitigate risks, users are advised to refrain from downloading suspicious files and email attachments, enhance monitoring of “mmc.exe” processes and activities in public directories, and implement robust logging systems such as Sysmon to track anomalous operations.
