2024 MSC Malware Trend Report
With the decrease in distribution of MS Office document-type malware, the distribution of malware in various formats such as LNK and CHM is on the rise. In the second quarter of this year, malware in the MSC (snap-ins/Management Saved Console) file format used in Microsoft Management Console (MMC) was identified. MSC files are in an XML-based format, and various tasks such as registering and executing script codes, command commands, or programs can be performed. The identified MSC file-type malware includes a type that exploits a vulnerability (CVE-2024-43572) in apds.dll and a type that executes a command line via MMC Console Taskpad.
The distribution status of MSC format malware confirmed until October 2024 is as follows.
※ The values in the graph range from 0 to 5. A higher value indicates a higher distribution of malware.
Figure 1. Distribution of malware in MSC format
The threat actor seems to be distributing malware in an unfamiliar format to allow users to execute the malware without suspicion. General users may find it difficult to guess the exact purpose and behavior of MSC files, and the fact that they can be easily executed with a double-click may lead to continued distribution.
- Type 1
This type exploits a vulnerability (CVE-2024-43572) in apds.dll to execute a malicious payload. Since the icon of the file can be freely set, there have been multiple cases of distribution with icons of PDF or Word documents to disguise as a legitimate document.
The icon and file name of the distributed file are as follows.
Figure 2. Icon of the confirmed MSC file
|
File Name |
Translated File Name |
| Japan’s Attempts to Strengthen Its Defense Capabilities and Revive Its Defense Industry | – |
| readme(解压密码).msc | readme (Decryption Code).msc |
| 民意信箱滿意度調查表.msc | Feedback Mailbox Satisfaction Survey Form.msc |
| 經濟部水利署第五河川分署水域污染詳細訊息.msc | Details of the Water Pollution in the Economic and Natural Resource Bureau of the Ministry of Water Resources in the People’s Republic of China.msc |
Table 1. Names of confirmed files
- Type 2
This type executes command commands using the MMC’s Console Taskpad. Like Type 1, it also disguises itself with a document file or folder icon. The Kimsuky group has been identified as distributing this malware to South Korean users, and it has the characteristic of executing bait documents during its operation.
The following are the icons, execution screens, and file names of the distributed files.
Figure 3. Icon of the confirmed MSC file
Figure 4. Screen of executing the MSC file
|
File name |
| [DOS] Jess Taylor’s Piece.msc |
| [DOS] Secure Document-Jess.msc |
| [WSJ] Interview Memo with Dr. Kyung*** Lee(202409).msc |
| North Korea’s New Suicide Drone.msc |
| 0808-DWnews.msc |
| 240422 264-24 SOLO airfield surveys.msc |
| 240801_Narang_Conversation_Secretary.msc |
Table 2. Confirmed File Names
