A new command execution method has been identified, leveraging specially crafted MSC (Microsoft Saved Console) files and an unpatched Windows XSS vulnerability to breach networks via the Microsoft Management Console (MMC).
Named 'GrimResource' by researchers at Elastic Security Labs, the new technique involves the exploitation of an old cross-site scripting (XSS) flaw in the apds.dll library. GrimResource allows attackers to execute arbitrary code in Microsoft Management Console (mmc.exe) with minimal security warnings.
Attackers craft MSC files with references to a vulnerable APDS resource within the StringTable section. When processed by MMC, these references trigger JavaScript execution in the context of mmc.exe.
By combining this vulnerability with the DotNetToJScript technique, threat actors can achieve arbitrary code execution. The process involves a crafted MSC (Microsoft Saved Console) file that contains a reference to the vulnerable APDS resource. The JavaScript code is then executed that loads a .NET component called 'PASTALOADER.' The latter retrieves a Cobalt Strike payload via environment variables set by the VBScript. It then spawns a new instance of 'dllhost.exe,' injecting the payload using the 'DirtyCLR' technique, which includes function unhooking and indirect system calls.
Elastic said it discovered a sample named 'sccm-updater.msc' uploaded to VirusTotal on June 6, 2024, utilizing the GrimResource technique. This means that the method is actively exploited in the wild. More importantly, no antivirus engines on VirusTotal flagged the sample as malicious.
The company has shared Indicators of Compromise (IoCs) related to the attack, as well as YARA rules to help cybersecurity analysts identify malicious MSC files.