New Threat Alert: GrimResource Exploit Using MSC Files

[Rudy]

Cybersecurity researchers have identified a novel attack method, named "GrimResource," that exploits a long-unpatched XSS vulnerability in Windows via MSC files—used within the Microsoft Management Console (MMC). This technique was spotted in a VirusTotal submission on June 6, 2024, involving a file named 'sccm-updater.msc' which managed to evade detection by all antivirus engines on the platform.

Background and Evolution of the Threat:
Post-July 2022, Microsoft disabled macros by default in Office, pushing attackers towards alternative file types like ISOs and ZIPs, and later to Windows Shortcuts and OneNote files, to bypass security. The focus has now shifted to MSC files. The exploitation stems from an unpatched XSS flaw in the 'apds.dll' that allows executing JavaScript code within MMC, discovered back in October 2018 but never remedied.

How GrimResource Operates:
The attack involves a malicious MSC file that triggers JavaScript execution through a crafted URL targeting the XSS flaw in 'apds.dll.' This flaw, when combined with techniques like DotNetToJScript, allows attackers to run arbitrary .NET code, circumventing existing security measures. Notably, the malicious script reconstructs VBScript to inject Cobalt Strike using the DirtyCLR technique into 'dllhost.exe' for further malicious activity.

Implications and Recommendations:
While primarily used to deploy Cobalt Strike for initial network access, the technique's versatility means it could potentially facilitate other malicious commands. System administrators should monitor for any suspicious activity involving 'apds.dll', MMC processes, and unusual script or .NET behavior. Elastic Security has released a detailed list of GrimResource indicators and corresponding YARA rules on GitHub to aid in detecting such threats.

Source: Bleepingcomputer.com