Malicious actors are exploiting an innovative attack method in active use, utilizing specially tailored management saved console (MSC) files to achieve complete code execution via Microsoft Management Console (MMC) and evade existing security measures.
Elastic Security Labs has dubbed this approach “GrimResource” after discovering a specific artifact (“sccm-updater.msc”) uploaded to the VirusTotal malware scanning platform on June 6, 2024.
“When an intricately crafted console file is imported, a vulnerability within one of the MMC libraries can result in the execution of adversary code, including potentially malicious software,” the company explained in a statement provided to The Hacker News.
“Attackers can pair this technique with DotNetToJScript to gain arbitrary code execution, opening avenues for unauthorized access, system compromise, and more.”
Using unconventional file types as a distribution channel for malware is viewed as a strategic move by adversaries to circumvent security barriers recently reinforced by Microsoft, such as the default disabling of macros in Office files downloaded from the internet.
In a recent report, South Korean cybersecurity firm Genians detailed an instance where the North Korea-linked Kimsuky hacking group leveraged a malicious MSC file to deliver malware.
In contrast, GrimResource exploits a cross-site scripting (XSS) vulnerability present in the apds.dll library to execute arbitrary JavaScript code within the MMC environment. This XSS flaw was initially disclosed to Microsoft and Adobe in late 2018 but remains unpatched as of now.
This technique involves inserting a reference to the vulnerable APDS resource in the StringTable section of a malicious MSC file. Upon opening the file using MMC, this triggers the execution of JavaScript code.
Not only does this method bypass ActiveX warnings, but it can also be combined with DotNetToJScript to achieve arbitrary code execution. Analysis of the sample reveals its use in launching a .NET loader component named PASTALOADER, which ultimately facilitates the deployment of Cobalt Strike.
“After Microsoft enforced the default disabling of Office macros for internet-sourced documents, other infection vectors such as JavaScript, MSI files, LNK objects, and ISOs have gained popularity,” noted security researchers Joe Desimone and Samir Bousseaden.
“However, these alternate techniques are heavily scrutinized by defenders and carry a high risk of detection. Attackers have now innovated with a fresh approach, leveraging crafted MSC files to execute arbitrary code within the Microsoft Management Console.”