New Attack Technique Targets Microsoft Management Console Files
Threat actors are exploiting a new attack technique that leverages specially crafted Management Saved Console (MSC) files to achieve full code execution using Microsoft Management Console (MMC), thereby evading security defenses.
Elastic Security Labs has named this approach GrimResource after identifying an artifact (“sccm-updater.msc“) uploaded to the VirusTotal malware scanning platform on June 6, 2024.
“When a maliciously crafted console file is imported, a vulnerability in one of the MMC libraries can lead to the execution of adversary code, including malware,” the company stated in a report shared with The Hacker News.
“Attackers can combine this technique with DotNetToJScript to achieve arbitrary code execution, which can result in unauthorized access, system takeover, and more.”
The use of uncommon file types for malware distribution is seen as an alternative method by adversaries to bypass security measures implemented by Microsoft in recent years, such as disabling macros by default in Office files downloaded from the internet.
Last month, South Korean cybersecurity firm Genians reported that the North Korea-linked Kimsuky hacking group used a malicious MSC file to deliver malware.
GrimResource, however, exploits a cross-site scripting (XSS) vulnerability in the apds.dll library to execute arbitrary JavaScript code within the MMC context. This XSS flaw was initially reported to Microsoft and Adobe in late 2018 and remains unpatched.
The attack is carried out by adding a reference to the vulnerable APDS resource in the StringTable section of a malicious MSC file. When this file is opened with MMC, it triggers the execution of JavaScript code.
This technique not only bypasses ActiveX warnings but can also be combined with DotNetToJScript to achieve arbitrary code execution. The analyzed sample uses this method to launch a .NET loader component called PASTALOADER, which ultimately leads to the deployment of Cobalt Strike.
“Following Microsoft’s disabling of Office macros by default for internet-sourced documents, other infection vectors like JavaScript, MSI files, LNK objects, and ISOs have become more popular,” security researchers Joe Desimone and Samir Bousseaden noted.
“However, these other techniques are closely monitored by defenders and are highly likely to be detected. Attackers have now developed a new technique to execute arbitrary code in Microsoft Management Console using crafted MSC files.”