An ongoing campaign in southeast Asia has been using two stealth techniques to infect high-level organizations. The first technique, known as “GrimResource,” allows attackers to execute arbitrary code in the Microsoft Management Console (MMC). This technique is relatively new and has been gaining popularity among threat actors.
The second technique, called “AppDomainManager Injection,” involves using malicious dynamic link libraries (DLLs) in a way that is easier than traditional sideloading methods. While this technique has been around for seven years and has been used by threat actors from Iran, China, and other groups, it is not commonly seen in malicious campaigns.
According to NTT researchers, since July, an attacker with similarities to China’s APT41 has been using these techniques in combination to drop Cobalt Strike onto IT systems belonging to Taiwanese government agencies, the Philippine military, and energy organizations in Vietnam.
The GrimResource technique is initiated through a ZIP file contained in a phishing email or malicious website. This ZIP file contains a file with a Windows certificate or PDF icon, which is actually an MSC file used to save configurations within the MMC. Threat actors have been increasingly exploiting the MSC file format due to changes in default controls by Microsoft, making it a popular initial vector for attacks.
One vulnerability that attackers exploit using GrimResource is a six-year-old cross-site scripting issue in Windows’ Authentication Protocol Domain Support (APDS) library, enabling arbitrary code execution in the MMC. In this campaign, the attackers use this technique to eliminate a step in the infection process by triggering embedded JavaScript when the victim opens the MSC file.
The malicious JavaScript then downloads and runs a legitimate, signed Microsoft executable renamed to “oncesvc.exe,” which is used to download malware. This process highlights how attackers can leverage trusted executables to execute malicious code.
On the other hand, AppDomainManager Injection involves manipulating Microsoft’s .NET framework to load a malicious AppDomainManager class instead of the legitimate one. By configuring specific environment variables or uploading a custom configuration file, attackers can dupe targeted applications into running their malicious code. This method is seen as an easier alternative to DLL side-loading for executing malware.
Given the stealthy nature of these techniques, experts recommend focusing on preventing the execution of payloads in the first place. This can be achieved through email hygiene practices and implementing controls at the MMC level to block suspicious attachments. As these attacks become more sophisticated, organizations must remain vigilant and adapt their defenses accordingly to protect against evolving threats.