Rhadamanthys Infostealer Exploiting Microsoft Management Console to Execute Malicious Script
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Researchers uncovered an ongoing campaign distributing the Rhadamanthys Infostealer through malicious Microsoft Management Console (MMC) files (.MSC), leveraging both a patched DLL vulnerability and legitimate MMC functionalities to execute scripts and deploy malware.
This advanced attack vector highlights evolving techniques in credential theft campaigns targeting Windows environments.
Security researchers at AhnLab SEcurity intelligence Center (ASEC) reports that the campaign employs two distinct methods to execute malicious code via MSC files.
The first exploits CVE-2024-43572, a vulnerability in the apds.dll library that allows arbitrary JavaScript execution through manipulated resource URIs.
Part of the MSC internal payload exploiting the vulnerability in apds.dll
This protocol handler accesses the redirect.html resource embedded in apds.dll, which performs a regex search for code following target= and executes it via .exec().
Crucially, this bypasses MMC’s security context, running code directly within the vulnerable DLL. While Microsoft patched this vulnerability in June 2024, unpatched systems remain at risk.
The second method abuses the MMC’s Console Taskpad feature, which interprets XML-based commands between and tags.
Unlike the DLL exploit, this technique executes commands natively within MMC, limited to basic operations like script or program execution.
Internal payload of MSC using Console Taskpad
This downloads and executes a PowerShell script from a remote server, deploying Rhadamanthys as eRSg.mp3 in the user’s %LocalAppData% directory—a tactic exploiting perceived trust in media file extensions.
Distribution and Evasion Tactics
Threat actors distribute these MSC files disguised as legitimate documents, often mimicking Microsoft Word icons or embedded in phishing emails.
Icon of the malicious MSC file
Recent campaigns observed by ASEC use Google Ads to redirect users to spoofed software download pages (e.g., Zoom, AnyDesk) hosting the malicious MSC files. When users click “Open,” the file triggers the MMC execution chain.
Post-exploitation, Rhadamanthys initiates its multi-stage payload retrieval process.
The malware creates a suspended AppLaunch.exe process (from the .NET Framework directory) and injects malicious code into its memory space, evading detection by unhooking ntdll.dll functions and employing virtual machine (VM) evasion techniques derived from the open-source Al-Khaser project.
Rhadamanthys’ Capabilities and Impact
Once active, Rhadamanthys harvests:
Stolen data is exfiltrated to command-and-control (C2) servers via SOAP messages, with attackers optionally deploying secondary modules like file grabbers or custom PowerShell scripts.
Mitigation and Detection
ASEC notes a 300% increase in MSC-based attacks since June 2024, with the Console Taskpad method now dominating post-patch.
This underscores the critical need for layered defenses against social engineering and legacy protocol abuses.
Indicators of compromise (IOCs)
MD5
560024efca8e5730dc4decf2e2c252db
7b26a25d7bf2be6fdc2810ba5f519b4a
9b738d877e6590b40c2784be10c215d7
URL
https[:]//daddychill[.]nl[:]1537/77950e0740519/udpne49n[.]du0i8
https[:]//oshi[.]at/SdUr/TSWY[.]txt
#Cyber_Security #Cyber_Security_News #Microsoft #Vulnerability
Оригинальная версия на сайте:
Rhadamanthys Infostealer Exploiting Microsoft Management Console to Execute Malicious Script
Author: KaaviyaResearchers uncovered an ongoing campaign distributing the Rhadamanthys Infostealer through malicious Microsoft Management Console (MMC) files (.MSC), leveraging both a patched DLL vulnerability and legitimate MMC functionalities to execute scripts and deploy malware.
This advanced attack vector highlights evolving techniques in credential theft campaigns targeting Windows environments.
Security researchers at AhnLab SEcurity intelligence Center (ASEC) reports that the campaign employs two distinct methods to execute malicious code via MSC files.
The first exploits CVE-2024-43572, a vulnerability in the apds.dll library that allows arbitrary JavaScript execution through manipulated resource URIs.
Part of the MSC internal payload exploiting the vulnerability in apds.dllThis protocol handler accesses the redirect.html resource embedded in apds.dll, which performs a regex search for code following target= and executes it via .exec().
Crucially, this bypasses MMC’s security context, running code directly within the vulnerable DLL. While Microsoft patched this vulnerability in June 2024, unpatched systems remain at risk.
The second method abuses the MMC’s Console Taskpad feature, which interprets XML-based commands between and tags.
Unlike the DLL exploit, this technique executes commands natively within MMC, limited to basic operations like script or program execution.
Internal payload of MSC using Console TaskpadThis downloads and executes a PowerShell script from a remote server, deploying Rhadamanthys as eRSg.mp3 in the user’s %LocalAppData% directory—a tactic exploiting perceived trust in media file extensions.
Distribution and Evasion Tactics
Threat actors distribute these MSC files disguised as legitimate documents, often mimicking Microsoft Word icons or embedded in phishing emails.
Icon of the malicious MSC fileRecent campaigns observed by ASEC use Google Ads to redirect users to spoofed software download pages (e.g., Zoom, AnyDesk) hosting the malicious MSC files. When users click “Open,” the file triggers the MMC execution chain.
Post-exploitation, Rhadamanthys initiates its multi-stage payload retrieval process.
The malware creates a suspended AppLaunch.exe process (from the .NET Framework directory) and injects malicious code into its memory space, evading detection by unhooking ntdll.dll functions and employing virtual machine (VM) evasion techniques derived from the open-source Al-Khaser project.
Rhadamanthys’ Capabilities and Impact
Once active, Rhadamanthys harvests:
- System metadata (hostname, RAM, CPU, screen resolution)
- Credentials from 50+ applications, including browsers (Chrome, Firefox), FTP clients (FileZilla, WinSCP), and password managers (KeePass)
- Cryptocurrency wallet data, leveraging AI-powered OCR in version 0.7.0 to extract seed phrases from images
- Session cookies and autofill data from browsers
Stolen data is exfiltrated to command-and-control (C2) servers via SOAP messages, with attackers optionally deploying secondary modules like file grabbers or custom PowerShell scripts.
Mitigation and Detection
- Apply Microsoft’s patch for CVE-2024-43572 and disable the res:// protocol handler if unused.
- Block execution of MSC files from untrusted sources via Group Policy.
- Monitor for suspicious process trees, particularly mmc.exe spawning powershell.exe or downloading files to %LocalAppData%.
- Deploy Sigma rules targeting Rhadamanthys’ signature behaviors.
ASEC notes a 300% increase in MSC-based attacks since June 2024, with the Console Taskpad method now dominating post-patch.
This underscores the critical need for layered defenses against social engineering and legacy protocol abuses.
Indicators of compromise (IOCs)
MD5
560024efca8e5730dc4decf2e2c252db
7b26a25d7bf2be6fdc2810ba5f519b4a
9b738d877e6590b40c2784be10c215d7
URL
https[:]//daddychill[.]nl[:]1537/77950e0740519/udpne49n[.]du0i8
https[:]//oshi[.]at/SdUr/TSWY[.]txt
#Cyber_Security #Cyber_Security_News #Microsoft #Vulnerability
Оригинальная версия на сайте:
