Threat actors are exploiting a new attack technique in the wild that uses specially crafted management saved console (MSC) files to achieve complete code execution through Microsoft Management Console (MMC) and evade security defenses.
Elastic Security Labs has given the name GrimResource to this method after discovering a file (“sccm-updater.msc“) uploaded to the VirusTotal malware scanning platform on June 6, 2024.
“When a maliciously crafted console file is imported, a vulnerability in one of the MMC libraries can lead to running adversary code, including malware,” the company said in a statement shared with The Hacker News.
“Attackers can combine this technique with DotNetToJScript to achieve arbitrary code execution, which can result in unauthorized access, system takeover, and more.”
The use of uncommon file types as a malware distribution method is viewed as an alternative strategy by attackers to bypass security guardrails implemented by Microsoft, such as disabling macros by default in Office files downloaded from the internet.
In a recent report, South Korean cybersecurity firm Genians revealed the use of a malicious MSC file by the North Korea-linked Kimsuky hacking group for malware delivery.
GrimResource exploits a cross-site scripting (XSS) vulnerability in the apds.dll library to execute arbitrary JavaScript code within MMC. Although reported to Microsoft and Adobe in 2018, the XSS flaw remains unpatched to date.
To achieve this, a reference to the vulnerable APDS resource is added in the StringTable section of a malicious MSC file, triggering the execution of JavaScript code when opened in MMC.
This technique not only bypasses ActiveX warnings but can also be combined with DotNetToJScript for arbitrary code execution. The analyzed sample utilizes this method to launch a .NET loader component named PASTALOADER, paving the way for Cobalt Strike.
“After Microsoft disabled Office macros by default for internet-sourced documents, other infection vectors like JavaScript, MSI files, LNK objects, and ISOs have gained popularity,” security researchers Joe Desimone and Samir Bousseaden stated.
“However, these alternate techniques are under scrutiny by defenders and have a high chance of detection. Attackers have devised a new method to execute arbitrary code in Microsoft Management Console using crafted MSC files.”