A new command execution technique known as GrimResource has emerged, utilizing Microsoft Saved Console (MSC) files and an unpatched Windows XSS vulnerability to execute arbitrary code via the Microsoft Management Console. This technique leverages MSC files, a type used for managing system tools, and exploits an old cross-site scripting (XSS) flaw in the `apds.dll` library. The attack involves a specially crafted MSC file that triggers JavaScript execution in the context of the `mmc.exe` process, allowing the deployment of malware like Cobalt Strike.
Since July 2022, attackers have shifted tactics due to changes in Microsoft’s handling of macros in Office, initially turning to file types like ISO images and password-protected ZIP files. After these were patched, they moved to new file types such as Windows Shortcuts and OneNote files. The latest shift involves MSC files, which are now being used to circumvent security measures that were put in place to detect previous attack methods. The malicious MSC file contains code that exploits the XSS vulnerability to execute arbitrary JavaScript.
The GrimResource attack was recently observed in a sample uploaded to VirusTotal in June 2024. This sample uses the GrimResource technique to deploy Cobalt Strike, a popular tool for initial network access, and demonstrates the ongoing threat posed by unpatched vulnerabilities. The XSS flaw in question, reported in 2018, remains unpatched in the latest Windows versions, raising concerns about its exploitation in ongoing cyber campaigns.
To mitigate the risks associated with GrimResource, system administrators are advised to monitor for suspicious activities involving `apds.dll` and `mmc.exe`, as well as look for unusual .NET COM object creation and temporary HTML files created in the INetCache folder. Elastic Security has provided a list of indicators and YARA rules on GitHub to help detect and defend against these attacks, emphasizing the need for vigilance in identifying and responding to these sophisticated threats.
Reference:
