Pakistani Tax Scam Unleashes Stealthy Backdoor Through Microsoft Console Files

Pakistani Tax Scam Unleashes Stealthy Backdoor Through Microsoft Console Files

Tax-Themed Phishing Campaign Targets Pakistan with Sophisticated Backdoor

A sophisticated phishing operation targeting Pakistan has been discovered, utilizing tax-related documents to deliver a stealthy backdoor malware. Securonix, a cybersecurity firm, has identified this campaign under the name FLUX#CONSOLE.

The attack leverages MSC (Microsoft Common Console Document) files in an innovative approach, disguising malicious content as legitimate tax documents. The campaign specifically uses a file titled “Tax Reductions, Rebates and Credits 2024,” which mimics an authentic document from Pakistan’s Federal Board of Revenue (FBR).

Key Technical Aspects:
– Files use double extensions (.pdf.msc) to appear as PDF documents
– JavaScript code executes through Microsoft Management Console (MMC)
– Malware deploys “DismCore.dll” while displaying legitimate decoy content
– Persistence achieved through scheduled tasks
– Remote command execution and data exfiltration capabilities

The attack chain demonstrates sophisticated obfuscation techniques, from complex JavaScript to concealed DLL code. This represents an evolution from traditional LNK file-based attacks, potentially indicating a new trend in malware delivery methods.

While the threat actor remains unidentified, similar tactics were observed in December 2023 by a group known as Patchwork. Securonix reports the attack was contained within 24 hours of initial infection.

Share This Article