A new malicious code execution technique, coined GrimResource, was discovered, targeting Microsoft Management Console. Attackers are exploiting an old cross-site scripting vulnerability that allows them to bypass defenses and deploy malware to endpoints.
Attack Technique Exploits Microsoft Management Console Files
On June 6, 2024, Elastic reported about discovering a new attack technique that uses Microsoft Management Console to run malware. The technique, nicknamed GrimResource, allows attackers to execute arbitrary code locally with minimal detection, even before getting access to the system. This is achieved by exploiting an XSS vulnerability in the apds.dll library, that allows it to gain initial access. Hackers include the reference to one and effectively exploit it through a Microsoft Saved Console (MSC) file. The trick also plays with DotNetToJScript to execute arbitrary code.
According to the researchers, after Microsoft disabled macros in Office suite by default for documents from the Internet, the popularity of other infection vectors increased sharply. However, these other methods, are rather easy to detect, and are overall tracked a lot by antimalware vendors. That’s the reason why cybercriminals went seeking to use new and undisclosed infection vectors to gain access and bypass defenses. In several exploitation cases that analysts detected so far, adversaries used the flaw to deploy a Cobalt Strike beacon.
Technical Analysis
The GrimResource technique exploits an old cross-site scripting (XSS) vulnerability found in the library apds.dll. By including a reference to the vulnerable APDS resource in the appropriate StringTable section of a crafted Microsoft Management Console (MMC) file, attackers can execute arbitrary JavaScript. This execution occurs within the context of mmc.exe. This capability can be combined with DotNetToJScript, a method that enables attackers to execute arbitrary .NET code.
The infection chain starts with the use of the transformNode obfuscation technique. Threat actors used this method in unrelated macro samples, helping the malicious code evade ActiveX security warnings. The obfuscated VBScript embedded in the file sets the target payload within a series of environment variables.
Next, the VBScript uses the DotNetToJScript method to execute an embedded .NET loader known as PastaLoader. This loader retrieves the payload from the variables set by the VBScript. It then spawns a new instance of dllhost.exe.
Further, the loader injects malware into this process using the DirtyCLR technique. It involves function unhooking and using indirect system calls to maintain stealth. Throughout these attacks, as I’ve mentioned, analysts have seen adversaries deploying Cobalt Strike, a widely used tool for post-exploitation activities.
Unfixed Vulnerabilities
The vulnerability exploited in the GrimResource technique was reported to both Adobe and Microsoft in October 2018. While both companies investigated the issue, Microsoft determined that the vulnerability did not meet the criteria for an immediate fix. In short, companies just did not take it seriously.
By March 2019, the cross-site scripting (XSS) flaw remained unpatched. The status of whether it has been addressed since then remains unclear. This suggests that, at least as of early 2019, the vulnerability was still a potential risk for exploitation, making it an attractive target for attackers leveraging the GrimResource technique. And now, in 2024, especially after the massive fuss around this technique in newsletters, its exploitation will likely be just over the roof.
To keep your device secured against such vulnerabilities, keeping software up to date may not be enough. A reliable antivirus with regular database updates and a heuristic engine should be considered, too – just as a way to stop what the updates failed to prevent. GridinSoft Anti-Malware will give you this security, thanks to its multi-component detection system and hourly updates.
