FLUX#CONSOLE Cyberattack: What You Need to Know to Protect Your Windows

A new cyberattack known as FLUX#CONSOLE is currently posing as a message about tax-related concerns and is affecting Windows users.. The attack starts with phishing and the final payload is the use of Windows management console backdoor. Understanding the attack methodology will help this article in giving recommendations on how to protect your systems.

FLUX#CONSOLE Windows Phishing Attack: A Dissection

It is not unique that phishing campaigns are aim at Windows systems but FLUX#CONSOLE stands out due to its use of Microsoft Common Console Document (.msc) files. Security researchers Den Luzvyk and Tim Peck from Securonix have labelled this campaign as a well-orchestrated phishing and tax-themed lure, along with a Windows backdoor exploit.

Key Features of the FLUX#CONSOLE Campaign:

Tax-Themed Lures: Cyber criminals exploit tax documents so as to get victims to download and run malicious code.

Exploitation of .msc Files: The campaign uses Microsoft Common Console Document files which looks normal, but contains the virus.

Sideloading Malicious DLLs: Cyber criminals leverage a benign process on the Windows os, called DisM.exe, to inject malicious DLL files .

Persistence Mechanisms: System tasks enable the backdoor malware to run again after a system’s reboot as part of another program.

Advanced Obfuscation: Such techniques include obfuscated JavaScript which makes it difficult for a browser to harvest the site, concealed DLL based malware and sophisticated C2 communication models.

Flux console attack is explained as follows

The attack probably starts with a phishing message with a virus link or a file containing the virus. Although the original email could not be obtained by the researchers, it seems that filenames which would indicate the contents of the email included reference to taxes, deductions, and rebates were used as bait.

The actual attackers leverage Application programming interfaces or interface, more specifically, the Microsoft Management Console (MMC) snap-in files, which are default MMC files used for framework applications like Task Scheduler and Event Viewer. Essentially, these .msc files, when doble clicked, directly run commands from the MMC framework (mmc.exe).

An instance that was highlighted when using Securonix involved a file referred as “Inside ARRVL-PAX-MNFSTPK284-23NOV.pdf.msc” That was actually a file in the format of a PDF, but it contained code that was run upon opening. This is made more obscure by default settings provided by the Windows operating system which hides standard extensions.

The malicious .msc file also works pretty well in not getting noticed by an antivirus program. It was analyzed that at the time of detection it had been categorized only 3 out of 62 positive on VirusTotal, which underlines its high level of obfuscation.

READ ALSO: Apple’s iPhone Spyware Notification System: What You Need to Know

Measures of Control for the FLUX#CONSOLE Campaign

The FLUX # CONSOLE campaign proved the heist concept as a logical progression of the evolution of modern cyber threats and the increased need for effective countermeasures.

Key Recommendations:

Avoid Unsolicited Files: Do not download or open emails and their attachments, if came from strange sources specially when they deal with tax, or other sensitive issues.

Monitor Unusual Processes: Be wary of orphan child processes spawned from mmc.exe because they lack executable files.

Enhance Endpoint Logging: Use applications such as Sysmon and PowerShell logging in order to observe malicious actions with processes.

Strengthen Security Awareness: Educate the employees together with the users in order not to fall prey to such tricks commonly referred to as phishing and social engineering.

Regarding this, Securonix also advises performing endpoint detection and response to counter complex attacks effectively.

FLUX#CONSOLE caused by threat actors in the cyber world, signaling that adversaries are very creative in coming up with new ways to take advantage of user concerns as well as avoid detection by point security solutions. Exactly making use of local legitimate Windows tools like executing .msc files attackers camouflage their actions thus the process is not an easy one to detect.

Computer users be they individuals or part of organizations must be extra cautious and continue in the advancement of precaution. It is possible to avoid becoming a victim of such an attack by adopting the mitigation measures that have been suggested here plus having an alert of other threats such as FLUX#CONSOLE.

Cybersecurity is a dynamic field and awareness of what is going on is the best strategy to combat new forms of attack.