New Microsoft Hack Warning: Windows Backdoor Attackers Strike

Beware the New Windows Cyberattack—What You Need to Know About the Tax 2024 Backdoor Hack

Analyzing the FLUX#CONSOLE Windows Phishing Attack

Windows phishing attacks are not new, and using tax issues as a lure in such attacks is not new either. Even Windows backdoor payloads are not new, but putting them all together in one attack exploit is relatively unusual. The FLUX#CONSOLE campaign breaks new ground by leveraging Microsoft Common Console Document files to deploy a dual-purpose loader and dropper to deliver further malicious payloads.

The key takeaways from the Securonix FLUX#CONSOLE Windows threat campaign analysis include:

• The attackers used tax-themed document lures to trick victims into downloading and running malicious payloads.
• The attackers used the exploitation of Microsoft Common Console Document files to leverage the legitimate appearance of these to aid with detection evasion.
• A copied legitimate Windows process, Dism.exe, was used to sideload a malicious dynamic-link library file.
• The attackers maintained persistence by the use of scheduled tasks to ensure that the backdoor malware payload stayed active and survived system reboots once installed.
• Multiple layers of obfuscation were employed to sidetrack and complicate forensic analysis and hinder detection, including “highly obfuscated JavaScript, concealed DLL-based malware and C2 communications.”

The Windows Backdoor Exploit Attack Methodology

The attack likely starts with either a phishing email link or attachment, although the researchers were unable to obtain the original email the nomenclature used in the filenames suggested income tax deduction and rebates as the bait. The threat actors exploited Microsoft Management Console “snap-in files” that are ordinarily used for configuration of administrative tools in Windows. “When double-clicked,” the analysis stated, “an.msc file automatically launches the MMC framework (mmc.exe) and executes the contained instructions.” This includes executing arbitrary code without explicit user consent.

Mitigating the Windows FLUX#CONSOLE Attack Campaign

To mitigate the Windows backdoor threat this campaign poses, Securonix recommended users avoid downloading files or attachments from external sources, especially if the source was unsolicited. The researchers also strongly recommended the deployment of “robust endpoint logging capabilities to aid in PowerShell detections,” including “leveraging additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.”

Conclusion

The FLUX#CONSOLE campaign highlights the persistent use of modern obfuscation techniques in malware development and serves as a reminder of the evolving tactics employed by threat actors and the growing challenges faced by defenders in mitigating these sophisticated threats.

Frequently Asked Questions

Q: What is the FLUX#CONSOLE Windows attack?
A: FLUX#CONSOLE is a new Windows cyberattack that uses tax-themed document lures to trick victims into downloading and running malicious payloads.

Q: What is the purpose of the attack?
A: The attack aims to deliver a Windows management console backdoor payload.

Q: How can I mitigate the attack?
A: To mitigate the attack, avoid downloading files or attachments from external sources, especially if the source was unsolicited, and deploy robust endpoint logging capabilities to aid in PowerShell detections.

Q: How common is this type of attack?
A: The attack is not common, but it is a growing trend to use modern obfuscation techniques in malware development.