Threat actors have recently been employing a new attack technique that enables them to bypass detection systems and achieve full code execution of Microsoft Management Console using specifically crafted management saved console (MSC) files. This discovery was made public by researchers from Elastic Security Labs after they identified a sample that was uploaded to VirusTotal on June 6. Interestingly, this sample has thus far managed to go undetected by antivirus tools on the platform, highlighting the sophistication of this new infection method, dubbed GrimResource.
The GrimResource attack technique capitalizes on an old XSS flaw found in the apds.dll library, a vulnerability that has been exploited by threat actors to inject malicious code into Microsoft Management Console (mmc.exe) with minimal security alerts. By inserting a reference to the vulnerable APDS resource within a meticulously crafted MSC file, attackers can execute arbitrary javascript within the context of mmc.exe. To further enhance the efficacy of this technique, threat actors can combine it with tools like DotNetToJScript in order to achieve arbitrary code execution.
The initial stages of the attack involve using a TransformNode obfuscation technique, which has been previously observed in unrelated macro samples. This obfuscation method aids in circumventing ActiveX security warnings and leads to an obfuscated embedded VBScript. Subsequently, the embedded VBScript sets the target payload in environment variables before leveraging the DotNetToJs technique to execute an embedded .NET loader, dubbed PASTALOADER by the researchers. PASTALOADER employs a stealthy method of retrieving the payload and injecting it into a new instance of dllhost.exe, with the final payload identified in the sample being Cobalt Strike.
Utilizing the DotNetToJScript technique triggers a specific detection looking for RWX memory allocation from .NET via a Windows Script Host (WSH) script engine. To counter these detections, the researchers have developed a rule in Elastic’s Event Query Language (EQL) to identify execution via the .NET loader. Additionally, the researchers have provided not only EQL rules but also a YARA detection rule to aid in detecting and mitigating the GrimResource attack technique.
Despite the potential for bypassing detections with more stealthy methods, such as employing apds.dll to execute Jscript via XSS, the researchers stress the importance of defenders leveraging their detection guidance to safeguard against this evolving threat. By proactively implementing detection rules and being vigilant in monitoring for suspicious activity, organizations can better protect themselves and their customers from falling victim to these sophisticated attack techniques before they become widely adopted by cybercriminals.