A new malicious code execution technique, GrimResource, targets Microsoft Management Console. Attackers exploit an old cross-site scripting vulnerability to bypass defenses and deploy malware to endpoints.
GrimResource Attack Technique
On June 6, 2024, Elastic reported a new attack technique, GrimResource, which uses Microsoft Management Console to run malware. This technique exploits an XSS vulnerability in the apds.dll library to gain initial access and execute arbitrary code with minimal detection. Attackers use a reference in a Microsoft Saved Console (MSC) file and leverage DotNetToJScript to execute the code.
Researchers note that after Microsoft disabled macros in Office documents by default, other infection vectors became more popular. However, these methods are easily detected and tracked by antimalware vendors.
As a result, cybercriminals are now seeking new and undisclosed vectors to bypass defenses. In several detected cases, adversaries exploited the flaw to deploy a Cobalt Strike beacon.
The GrimResource technique exploits an old XSS vulnerability in the apds.dll library. By referencing the vulnerable APDS resource in the StringTable section of a crafted Microsoft Management Console (MMC) file, attackers can execute arbitrary JavaScript within the context of mmc.exe. This can be combined with DotNetToJScript to execute arbitrary .NET code.
The infection chain begins with the transformNode obfuscation technique, previously used in unrelated macro samples to evade ActiveX security warnings. The obfuscated VBScript in the file sets the target payload within a series of environment variables.
Next, the VBScript uses DotNetToJScript to execute an embedded .NET loader called PastaLoader. This loader retrieves the payload from the variables set by the VBScript and spawns a new instance of dllhost.exe.
The loader then injects malware into this process using the DirtyCLR technique, which involves function unhooking and indirect system calls to remain stealthy. Analysts have observed adversaries deploying Cobalt Strike, a common tool for post-exploitation activities, during these attacks.
Unresolved Vulnerabilities
The vulnerability exploited in the GrimResource technique was reported to Adobe and Microsoft in October 2018. Despite investigations, Microsoft deemed it did not require an immediate fix. By March 2019, the XSS flaw remained unpatched, and its current status is unclear.
This suggests that the vulnerability was still a potential risk, making it attractive for attackers using the GrimResource technique. As of 2024, interest in exploiting this vulnerability has surged. To protect your device, merely keeping software up to date may not be sufficient.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment