Threat Actors Exploit Windows Management Console to Deliver Backdoors via Tax Lures

• A yet-not-attributed phishing campaign was seen targeting Pakistan via tax-themed lures in PDF form.
• The hackers employ less-used MSC files as vectors for delivering malicious payloads.
• The aim is to deploy an obfuscated backdoor DLL, and the infection allows for stealthy and persistent access.

A sophisticated phishing campaign that leverages MSC (Microsoft Common Console Document) files and advanced obfuscation techniques to deliver stealthy backdoor payloads surfaced. 

Dubbed FLUX#CONSOLE, this campaign highlights a shift in attack methods as threat actors explore new avenues to bypass traditional antivirus (AV) detections, according to the latest security report from the Securonix Threat Research team.

It appears to begin with tax-themed phishing emails designed to trick recipients into clicking on links or downloading attachments. Although the original phishing emails couldn’t be retrieved, the filenames and lure documents suggest common tax-related themes. 

The content is formatted in English, and at least one document resembles an official tax document from Pakistan.

The PDF itself is harmless, acting as a distraction. However, while the user engages with the document, the malicious payload executes in the background through an unconventional delivery mechanism.

Unlike the commonly abused LNK files in malware campaigns, FLUX#CONSOLE employs MSC files—a less frequently used, yet equally effective, vector for delivering malicious payloads. These files exploit their legitimate appearance to entice users into executing malicious code with a simple double-click. 

The .msc file is essentially XML formatted and can execute embedded payloads in VBScript or JavaScript. Upon execution, the MSC file serves as a dual-purpose loader and dropper, deploying an obfuscated backdoor DLL, downloading and executing a malicious DLL file “DismCore.dll” by sideloading it using the legitimate DISM.exe Windows process.

This marks an innovative turn in phishing techniques. MSC files, typically associated with Windows administrative tools, successfully hide malware delivery as an initial vector.  

FLUX#CONSOLE allows for stealthy and persistent access, and security researchers believe that Pakistan is the primary target. Several APT groups like Sidewinder, Gamaredon, and Lazarus Group continuously target Pakistan, but none of the TTPs found now overlap with these threat actors.