Malicious actors are now employing a novel attack method in real-world scenarios, utilizing specially crafted Microsoft Management Console (MSC) files to enable full code execution. By exploiting vulnerabilities within the Microsoft Management Console (MMC), these actors effectively circumvent existing security measures.

The attack method, dubbed “GrimResource” by Elastic Security Labs, was identified following the discovery of an artifact named “sccm-updater.msc” uploaded to the VirusTotal malware scanning platform on June 6, 2024.

You might be interested in: Markopolo’s Crypto Scam via Fake Meeting Software

The company explained that importing a maliciously crafted console file could exploit a flaw in one of the MMC libraries, leading to the execution of adversarial code, potentially including malware.

The adversaries are capable of combining this tactic with DotNetToJScript, facilitating arbitrary code execution that can result in unauthorized access, full system control, and potentially more severe consequences.

Furthermore, adversaries are increasingly turning to uncommon file types to spread malware, seeking to evade Microsoft’s security protocols, such as the automatic disabling of macros in Office files downloaded from the internet.

In a detailed report, Genians, a South Korean cybersecurity firm, outlined how the North Korea-linked Kimsuky hacking group has been leveraging a rogue MSC file to disseminate malware.

GrimResource exploits a cross-site scripting (XSS) vulnerability in the apds.dll library to execute unrestricted JavaScript code within the Microsoft Management Console (MMC) environment. Despite being disclosed to Microsoft and Adobe in late 2018, this vulnerability remains unpatched.

The exploit is facilitated by embedding a reference to the vulnerable APDS resource within the StringTable section of a malicious MSC file. When this file is opened via MMC, it triggers the execution of JavaScript code.

This method not only bypasses ActiveX warnings but can also be combined with DotNetToJScript to enable arbitrary code execution. The analyzed sample employs this strategy to launch a .NET loader component named PASTALOADER, which ultimately executes Cobalt Strike.

Following Microsoft’s move to disable Office macros by default for documents sourced from the internet, attackers have increasingly turned to alternative methods such as JavaScript, MSI files, LNK objects, and ISOs for infection,” explained security experts Joe Desimone and Samir Bousseaden.

However, they noted that these alternative techniques are under close scrutiny by defenders and are highly likely to be detected. Despite this, adversaries have developed a new method to execute unauthorized code through the Microsoft Management Console by utilizing specially crafted MSC files.