Overview
GrimResource is a novel malware technique that exploits vulnerabilities in Microsoft Management Console (mmc.exe) to gain unauthorized access and evade traditional security defenses. This sophisticated attack vector involves the use of specially crafted MSC files that leverage an old cross-site scripting (XSS) flaw in the apds.dll library.
By embedding malicious JavaScript within these files, GrimResource enables adversaries to execute arbitrary code within the mmc.exe process, allowing them to bypass conventional security measures and achieve stealthy code execution. This innovative approach demonstrates the ongoing evolution of malware tactics and the need for advanced detection strategies.
Targets
Individuals.
How they operate
The technical execution of GrimResource begins with an MSC file containing a reference to the vulnerable apds.dll library. When a user opens this crafted MSC file, it triggers a sequence of events that lead to code execution within the context of the mmc.exe process. Specifically, the MSC file incorporates JavaScript code via an obfuscated StringTable section, which leverages the old XSS flaw in apds.dll. This JavaScript code is executed in a minimal security context, effectively bypassing many traditional detection mechanisms that might otherwise flag more overt malicious activities.
Once the JavaScript code is executed, GrimResource employs additional techniques to maintain stealth and execute further payloads. The malware uses the DotNetToJScript technique to load and execute embedded .NET code. This code, which is referred to as PASTALOADER, sets up environment variables that specify the location of the payload.
Subsequently, PASTALOADER retrieves and injects this payload into a new instance of dllhost.exe, using a combination of DirtyCLR techniques, function unhooking, and indirect syscalls to ensure that the injection is as covert as possible. The final payload, in this case, was identified as Cobalt Strike, a well-known post-exploitation tool used for command and control purposes.
Detection and defense against GrimResource require a nuanced understanding of its execution patterns and evasion strategies. The malware’s use of transformNode obfuscation techniques and the integration of VBScript further complicates detection efforts. Security analysts should focus on identifying suspicious behavior associated with mmc.exe and the execution of scripts via MMC files. Effective detection can be achieved through monitoring for abnormal file activities, such as the creation of temporary HTML files in the INetCache folder, and using YARA rules to identify specific characteristics of GrimResource.
MITRE Tactics and Techniques
Initial Access (TA0001):
Exploit Public-Facing Application (T1190): By leveraging vulnerabilities in MSC files, GrimResource facilitates unauthorized access.
Execution (TA0002):
Command and Scripting Interpreter (T1059): Uses embedded JavaScript to execute code within the mmc.exe process.
Persistence (TA0003):
Boot or Logon Autostart Execution (T1547): While not directly applicable, the persistence may be achieved through the manipulation of system settings or startup routines.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): Employs obfuscation techniques such as transformNode and embedded VBScript to evade detection.
Process Injection (T1055): Injects code into dllhost.exe to execute the final payload stealthily.
Privilege Escalation (TA0004):
Exploitation for Privilege Escalation (T1068): Although not a direct exploit, GrimResource’s method can escalate privileges by executing code within a privileged process.
Command and Control (TA0011):
Application Layer Protocol (T1071): If used, the malware may employ network protocols for command and control communications, though this is not explicitly detailed in the provided information.
Impact (TA0006):
Data Encrypted for Impact (T1486): This may be an indirect tactic if the malware is used to deploy additional payloads that encrypt data.
References:
