Subject: Engage Report: FLUX#CONSOLE
Tactics: TA0005 Defense Evasion
Technique: T1218 System Binary Proxy Execution, T1218.004 System Binary Proxy Execution: InstallUtil
Procedure:
The threat actors utilize Microsoft Common Console Document (MSC) files to execute malicious JavaScript code. These MSC files are designed to mimic the appearance of PDF documents, deceiving users into opening them. Upon execution, the embedded JavaScript code facilitates the download and execution of a backdoor payload.
Vulnerability: EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked.
Engagement Opportunity:
Deploy a decoy system with a vulnerable Microsoft Common Console Document (MSC) configuration. Monitor the decoy for attempts to exploit the vulnerability, indicating adversary activity. This provides an opportunity to observe T1218.014 in action and gather intelligence on the adversary’s tools, techniques, and procedures (TTPs).
Threat Actor: FLUX#CONSOLE
Threat Objective:
To deliver a backdoor payload and establish persistence on the victim’s machine.
Deception Opportunity:
Develop a deception campaign that includes a fake file-sharing service or a decoy document repository. Seed this service with documents that appear to be valuable intellectual property related to the nuclear industry. Monitor for any access attempts to these decoy documents, which could indicate the presence of the Lazarus group or other threat actors.
Sensor Data Placement: Application
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
The usage of MSC files for malicious purposes is not yet widespread but is observed in various campaigns. This specific technique is core to some implementations of the ‘System Binary Proxy Execution’ technique, making it a Level 4 observable.
Link to Report:
Link to Report II.:
Additional Comments:
Monitoring for the misuse of MSC files, along with user education about this threat, can enhance the security posture against such attacks.
Possible elements:
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# Example: FLUX#CONSOLE Attack Graph
[1]: Initial Access [TA0001] - Phishing [T1566]: Spearphishing Attachment [T1566.001] - Deliver malicious MSC file in phishing email disguised as a PDF document (Core to Some Implementations of (Sub-)Technique)
[2]: Defense Evasion [TA0005] - System Binary Proxy Execution [T1218]: MMC [T1218.014] - Execute malicious JavaScript code embedded in the MSC file (Core to Some Implementations of (Sub-)Technique)
[3]: Execution [TA0002] - Command and Scripting Interpreter [T1059]: JavaScript [T1059.007] - Download and execute backdoor payload using JavaScript (Lack of User Awareness)
[4]: Persistence [TA0003] - Create or Modify System Process [T1543] - Establish persistence on the victim's machine (Lack of System Monitoring)
1 --> 2
2 --> 3
3 --> 4
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# Example: FLUX#CONSOLE Pseudocode
function Initial_Access_Phishing(target_email):
# Craft phishing email with malicious MSC file disguised as a PDF
# Send email to target_email
return malicious_msc_file
function Defense_Evasion_System_Binary_Proxy_Execution(malicious_msc_file):
# Execute malicious JavaScript code embedded in the MSC file
return javascript_code
function Execution_Command_and_Scripting_Interpreter(javascript_code):
# Download and execute backdoor payload using JavaScript
return backdoor_payload
function Persistence_Create_or_Modify_System_Process(backdoor_payload):
# Establish persistence on the victim's machine using the backdoor payload
return success