Menace actors are exploiting a novel assault method within the wild that leverages specifically crafted administration saved console (MSC) recordsdata to realize full code execution utilizing Microsoft Administration Console (MMC) and evade security defenses.
Elastic Safety Labs has codenamed the strategy GrimResource after figuring out an artifact (“sccm-updater.msc”) that was uploaded to the VirusTotal malware scanning platform on June 6, 2024.
“When a maliciously crafted console file is imported, a vulnerability in one of many MMC libraries can result in operating adversary code, together with malware,” the corporate stated in a press release shared with The Hacker Information.
“Attackers can mix this system with DotNetToJScript to realize arbitrary code execution, which may result in unauthorized entry, system takeover and extra.”
The usage of unusual file sorts as a malware distribution vector is seen as a substitute try by adversaries to get round security guardrails erected by Microsoft in recent times, together with disabling macros by default in Workplace recordsdata downloaded from the web.
Final month, South Korean cybersecurity agency Genians detailed the usage of a malicious MSC file by the North Korea-linked Kimsuky hacking group to ship malware.
GrimResource, however, exploits a cross-site scripting (XSS) flaw current within the apds.dll library to execute arbitrary JavaScript code within the context of MMC. The XSS flaw was initially reported to Microsoft and Adobe in late 2018, though it stays unpatched up to now.
That is completed by including a reference to the susceptible APDS useful resource within the StringTable part of a malicious MSC file, which, when opened utilizing MMC, triggers the execution of JavaScript code.
The method not solely bypasses ActiveX warnings, it may be mixed with DotNetToJScript to realize arbitrary code execution. The analyzed pattern makes use of this strategy to launch a .NET loader element dubbed PASTALOADER that finally paves the way in which for Cobalt Strike.
“After Microsoft disabled Workplace macros by default for internet-sourced paperwork, different an infection vectors like JavaScript, MSI recordsdata, LNK objects, and ISOs have surged in recognition,” security researchers Joe Desimone and Samir Bousseaden stated.
“Nonetheless, these different strategies are scrutinized by defenders and have a excessive probability of detection. Attackers have developed a brand new method to execute arbitrary code in Microsoft Administration Console utilizing crafted MSC recordsdata.”
