Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

GrimResource Exploits MSC Files and XSS Flaw

June 21, 2024
Reading Time: 2 mins read
in Alerts
GrimResource Exploits MSC Files and XSS Flaw

A new command execution technique known as GrimResource has emerged, utilizing Microsoft Saved Console (MSC) files and an unpatched Windows XSS vulnerability to execute arbitrary code via the Microsoft Management Console. This technique leverages MSC files, a type used for managing system tools, and exploits an old cross-site scripting (XSS) flaw in the `apds.dll` library. The attack involves a specially crafted MSC file that triggers JavaScript execution in the context of the `mmc.exe` process, allowing the deployment of malware like Cobalt Strike.

Since July 2022, attackers have shifted tactics due to changes in Microsoft’s handling of macros in Office, initially turning to file types like ISO images and password-protected ZIP files. After these were patched, they moved to new file types such as Windows Shortcuts and OneNote files. The latest shift involves MSC files, which are now being used to circumvent security measures that were put in place to detect previous attack methods. The malicious MSC file contains code that exploits the XSS vulnerability to execute arbitrary JavaScript.

The GrimResource attack was recently observed in a sample uploaded to VirusTotal in June 2024. This sample uses the GrimResource technique to deploy Cobalt Strike, a popular tool for initial network access, and demonstrates the ongoing threat posed by unpatched vulnerabilities. The XSS flaw in question, reported in 2018, remains unpatched in the latest Windows versions, raising concerns about its exploitation in ongoing cyber campaigns.

To mitigate the risks associated with GrimResource, system administrators are advised to monitor for suspicious activities involving `apds.dll` and `mmc.exe`, as well as look for unusual .NET COM object creation and temporary HTML files created in the INetCache folder. Elastic Security has provided a list of indicators and YARA rules on GitHub to help detect and defend against these attacks, emphasizing the need for vigilance in identifying and responding to these sophisticated threats.

Reference:

  • New GrimResource Attack Uses MSC Files and XSS Flaw for Code Execution
Tags: Cobalt StrikeCyber AlertsCyber Alerts 2024Cyber threatsGrimResourceJavascriptJune 2024MicrosoftVulnerability
ADVERTISEMENT

Related Posts

AMOS Mac Stealer Adds Persistent Backdoor

AMOS Mac Stealer Adds Persistent Backdoor

July 8, 2025
AMOS Mac Stealer Adds Persistent Backdoor

NordDragonScan Malware Steals Windows Data

July 8, 2025
AMOS Mac Stealer Adds Persistent Backdoor

New Ransomware BERT Targets ESXi Systems

July 8, 2025
hpingbot Botnet Uses Pastebin C2 Channel

APT36 Targets Indian Defense Linux Systems

July 7, 2025
hpingbot Botnet Uses Pastebin C2 Channel

Hackers Abuse Driver Signing For Malware

July 7, 2025
hpingbot Botnet Uses Pastebin C2 Channel

hpingbot Botnet Uses Pastebin C2 Channel

July 7, 2025

Latest Alerts

New Ransomware BERT Targets ESXi Systems

NordDragonScan Malware Steals Windows Data

AMOS Mac Stealer Adds Persistent Backdoor

APT36 Targets Indian Defense Linux Systems

hpingbot Botnet Uses Pastebin C2 Channel

Hackers Abuse Driver Signing For Malware

Subscribe to our newsletter

    Latest Incidents

    French Chip Firm Semco Hacked During IPO

    Louis Vuitton Korea Hit By Cyberattack

    Virginia School District Hit By Cyberattack

    Ransomware Attack Causes Outage at Ingram

    Call of Duty Players Hacked on Game Pass

    RansomHub Claims Theft of Coppell City Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial