Full Report
With the decrease in distribution of MS Office document-type malware, the distribution of malware in various formats such as LNK and CHM is on the rise. In the second quarter of this year, malware in the MSC (snap-ins/Management Saved Console) file format used in Microsoft Management Console (MMC) was identified. MSC files are in an […] 게시물 2024 MSC Malware Trend Report이 ASEC에 처음 등장했습니다.
Analysis Summary
# Tool/Technique: MSC File Format Malware
## Overview
Malware distributed in the Microsoft Management Console Saved Console (MSC) file format. MSC files are XML-based configuration files for Microsoft Management Console (MMC) that can be used to register and execute script codes, commands, or programs, making them an emerging delivery mechanism as traditional document malware decreases.
## Technical Details
- Type: Malware (File Format Exploitation/Delivery)
- Platform: Windows
- Capabilities: Execution of arbitrary code/commands; highly maskable via common icons (PDF, Word).
- First Seen: Identified and tracked in Q2 2024, with distribution confirmed up to October 2024.
## MITRE ATT&CK Mapping
*Note: As the primary context is the delivery mechanism, the mapping focuses on the execution and initial access methods observed.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied via targeted nature)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
## Functionality
### Core Capabilities
* **Execution via MMC:** Uses the inherent functionality of the MSC file format/MMC to run configured scripts or commands.
* **Disguise and Social Engineering:** Files are frequently disguised with icons matching legitimate documents (PDF, Word) or folders to trick users into execution via a double-click.
### Advanced Features
* **Type 1 (Vulnerability Exploitation):** Exploits a vulnerability in `apds.dll` (CVE-2024-43572) to execute a malicious payload.
* **Type 2 (Command Execution):** Executes commands via the MMC Console Taskpad feature. This type has been specifically linked to the Kimsuky group operating against South Korean users, often executing bait documents during operation.
## Indicators of Compromise
- File Hashes:
- 026a6ed068b12ea1447ca20d4f82452f
- 032fd60659a82b9b0fefe1eb1728259d
- 06745253f1daec97554abab0b5ac6568
- 0efa89b5a10d42c3c4ca2620f28ea770
- 14d4bc28f58affbb03b0afd2d756c716
- File Names (Examples):
- readme(解压密码).msc
- 民意信箱滿意度調查表.msc
- [DOS] Jess Taylor’s Piece.msc
- [WSJ] Interview Memo with Dr. Kyung*** Lee(202409).msc
- Registry Keys: (Not specified in context)
- Network Indicators: (Not specified in context)
- Behavioral Indicators: Double-clicking an `.msc` file leads to the execution of embedded commands or payload deployment through the MMC process host.
## Associated Threat Actors
- Kimsuky (Associated with Type 2 MSC malware targeting South Korean users).
## Detection Methods
- Signature-based detection: Signature generation possible based on known file hashes and specific XML structures within the MSC files.
- Behavioral detection: Monitoring for suspicious execution originating from the `mmc.exe` process launching unintended commands or scripts, particularly when triggered by opening an `.msc` file.
- YARA rules: (Not specified, but applicable based on XML structure).
## Mitigation Strategies
- **Application Control:** Restrict the execution of or scripts launched by the Microsoft Management Console (`mmc.exe`).
- **User Education:** Train users to be highly suspicious of double-clicking unexpected files, especially those disguised as common documents.
- **Patching:** Ensure systems are patched against known vulnerabilities, specifically **CVE-2024-43572**, which is leveraged by Type 1 samples.
## Related Tools/Techniques
- LNK malware
- CHM malware
- General spearphishing document delivery techniques.