New GrimResource Attack Technique Targets MMC, DLL Flaw

GrimResource Attack Targets Microsoft Management Console
Attackers exploit an old vulnerability for a new attack.

A new malicious code execution technique, coined GrimResource, was discovered, targeting Microsoft Management Console. Attackers are exploiting an old cross-site scripting vulnerability that allows them to bypass defenses and deploy malware to endpoints.

Attack Technique Exploits Microsoft Management Console Files

On June 6, 2024, Elastic reported about discovering a new attack technique that uses Microsoft Management Console to run malware. The technique, nicknamed GrimResource, allows attackers to execute arbitrary code locally with minimal detection, even before getting access to the system. This is achieved by exploiting an XSS vulnerability in the apds.dll library, that allows it to gain initial access. Hackers include the reference to one and effectively exploit it through a Microsoft Saved Console (MSC) file. The trick also plays with DotNetToJScript to execute arbitrary code.

Post in the X (Twitter) screenshot
Post in the X (Twitter)

According to the researchers, after Microsoft disabled macros in Office suite by default for documents from the Internet, the popularity of other infection vectors increased sharply. However, these other methods, are rather easy to detect, and are overall tracked a lot by antimalware vendors. That’s the reason why cybercriminals went seeking to use new and undisclosed infection vectors to gain access and bypass defenses. In several exploitation cases that analysts detected so far, adversaries used the flaw to deploy a Cobalt Strike beacon.

Technical Analysis

The GrimResource technique exploits an old cross-site scripting (XSS) vulnerability found in the library apds.dll. By including a reference to the vulnerable APDS resource in the appropriate StringTable section of a crafted Microsoft Management Console (MMC) file, attackers can execute arbitrary JavaScript. This execution occurs within the context of mmc.exe. This capability can be combined with DotNetToJScript, a method that enables attackers to execute arbitrary .NET code.

The infection chain starts with the use of the transformNode obfuscation technique. Threat actors used this method in unrelated macro samples, helping the malicious code evade ActiveX security warnings. The obfuscated VBScript embedded in the file sets the target payload within a series of environment variables.

transformNode evasion and obfuscation technique screenshot
transformNode evasion and obfuscation technique (Source: Elastic Security Labs)

Next, the VBScript uses the DotNetToJScript method to execute an embedded .NET loader known as PastaLoader. This loader retrieves the payload from the variables set by the VBScript. It then spawns a new instance of dllhost.exe.

Further, the loader injects malware into this process using the DirtyCLR technique. It involves function unhooking and using indirect system calls to maintain stealth. Throughout these attacks, as I’ve mentioned, analysts have seen adversaries deploying Cobalt Strike, a widely used tool for post-exploitation activities.

Successful execution screenshot
Example of the successful execution of GrimResource (Source: Elastic Security Labs)

Unfixed Vulnerabilities

The vulnerability exploited in the GrimResource technique was reported to both Adobe and Microsoft in October 2018. While both companies investigated the issue, Microsoft determined that the vulnerability did not meet the criteria for an immediate fix. In short, companies just did not take it seriously.

By March 2019, the cross-site scripting (XSS) flaw remained unpatched. The status of whether it has been addressed since then remains unclear. This suggests that, at least as of early 2019, the vulnerability was still a potential risk for exploitation, making it an attractive target for attackers leveraging the GrimResource technique. And now, in 2024, especially after the massive fuss around this technique in newsletters, its exploitation will likely be just over the roof.

To keep your device secured against such vulnerabilities, keeping software up to date may not be enough. A reliable antivirus with regular database updates and a heuristic engine should be considered, too – just as a way to stop what the updates failed to prevent. GridinSoft Anti-Malware will give you this security, thanks to its multi-component detection system and hourly updates.

New GrimResource Attack Technique Targets MMC, DLL Flaw

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *