Recent Alert on Potential Microsoft Hacks Following Windows Vulnerabilities Exploitation by Unauthorized Accessors

Recent Alert on Potential Microsoft Hacks Following Windows Vulnerabilities Exploitation by Unauthorized Accessors

A recent cyberattack, labeled as FLUX#CONSOLE, exploits people's worries about tax matters to initiate an attack leading to a Windows management console backdoor payload. Here's what you need to know about the attack strategies and defense measures.

Examining the FLUX#CONSOLE Windows Phishing Attack

Phishing attacks through Windows platforms aren't novel. Employing tax issues as bait in these attacks isn't either. Nor are Windows backdoor payloads. The art of blending them all together in a single exploit, however, is quite uncommon. The FLUX#CONSOLE campaign distinguishes itself, according to Securonix security researchers Den Luzvyk and Tim Peck, in "how the threat actors utilize Microsoft Common Console Document files to deploy a dual-role loader and dropper to distribute further malicious payloads."

The main takeaways from the recently published Securonix FLUX#CONSOLE Windows threat campaign analysis were:

• The attackers used tax-themed document lures to persuade victims into downloading and executing malicious payloads.
• The attackers exploited Microsoft Common Console Document files to leverage their legitimate appearance, assisting with detection evasion.
• A replicated legitimate Windows process, Dism.exe, was used to load a malicious dynamic-link library file.
• The attackers ensured persistence by scheduling tasks to ensure that the backdoor malware payload remained active and survived system reboots following installation.
• Multiple layers of obfuscation were employed to divert and complicate forensic analysis and hinder detection, including "extremely obfuscated JavaScript, concealed DLL-based malware, and C2 communications."

The Windows Backdoor Exploit Attack Strategy

The attack generally begins with either a phishing email link or attachment, although the researchers could not secure the original email. The nomenclature in the file names suggested income tax deductions and rebates as the hook. The threat actors exploited Microsoft Management Console "snap-in files" that are typically used for configuring administrative tools in Windows, such as Event Viewer, Task Scheduler, and Device Manager. According to the analysis, "when double-clicked," an .msc file "automatically launches the MMC framework (mmc.exe) and executes the contained instructions." This includes executing arbitrary code without explicit user consent. The researchers stated that the code execution commenced once the user double-clicked on a file called "Inside ARRVL-PAX-MNFSTPK284-23NOV.pdf.msc," which disguises itself as a PDF. This obfuscation was aided by the fact that "the setting for common extension visibility is disabled by default in modern versions of Windows," the researchers stated. Moreover, that obfuscation seems to aid in avoiding antivirus detection, with the malicious .msc file scoring "3/62 positive detections according to VirusTotal," as stated in the report.

Countering the Windows FLUX#CONSOLE Attack Campaign

The FLUX#CONSOLE campaign illustrates the continuing use of modern obfuscation techniques in malware development, according to the Securonix analysis, and serves as a reminder of "the evolving tactics employed by threat actors and the growing challenges faced by defenders in mitigating these sophisticated threats."

I reached out to Microsoft for a statement.

To counter the Windows backdoor threat posed by this campaign, Securonix suggested users avoid downloading files or attachments from external sources, especially if the source is unsolicited. "Given that .msc files were utilized," the researchers stated, "look for unusual child processes spawning from the legitimate Windows mmc.exe process." Securonix also strongly recommended the deployment of "robust endpoint logging capabilities to aid in PowerShell detections," including "leveraging additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage."

1. The FLUX#CONSOLE cyberattack is a notable example of a Windows hack that uses phishing tactics, leveraging tax issues as bait to install a Windows backdoor payload.
2. In their analysis of the FLUX#CONSOLE Windows threat campaign, Securonix researchers highlighted the use of tax-themed document lures to distribute malicious payloads through Microsoft Common Console Document files.
3. Microsoft issued a warning about the FLUX#CONSOLE attack, advising users to be wary of downloading files or attachments from unsolicited sources, especially if they involve Windows management console backdoors.
4. To address the threat posed by the FLUX#CONSOLE campaign, Securonix suggested deploying robust endpoint logging capabilities and leveraging additional process-level logging like Sysmon and PowerShell logging for enhanced log detection coverage.
5. The security community is closely monitoring the FLUX#CONSOLE attack, with threat intel organizations tracking its evolution and potential impact on tax-related systems in 2024, such as the filing of tax returns for the year 2024.

Read also: