Risk actors are exploiting a singular assault method within the wild that leverages specifically crafted control stored console (MSC) information to achieve complete code execution the use of Microsoft Control Console (MMC) and evade safety defenses.
Elastic Safety Labs has codenamed the means GrimResource after figuring out an artifact (“sccm-updater.msc”) that used to be uploaded to the VirusTotal malware scanning platform on June 6, 2024.
“When a maliciously crafted console document is imported, a vulnerability in one of the vital MMC libraries can result in working adversary code, together with malware,” the corporate mentioned in a commentary shared with The Hacker Information.
“Attackers can mix this system with DotNetToJScript to achieve arbitrary code execution, which may end up in unauthorized get admission to, machine takeover and extra.”
Using unusual document sorts as a malware distribution vector is observed instead strive through adversaries to get round safety guardrails erected through Microsoft in recent times, together with disabling macros through default in Workplace information downloaded from the cyber web.
Final month, South Korean cybersecurity company Genians detailed the usage of a malicious MSC document through the North Korea-linked Kimsuky hacking crew to ship malware.
GrimResource, then again, exploits a cross-site scripting (XSS) flaw provide within the apds.dll library to execute arbitrary JavaScript code within the context of MMC. The XSS flaw used to be initially reported to Microsoft and Adobe in past due 2018, despite the fact that it stays unpatched to this point.
That is achieved through including a connection with the prone APDS useful resource within the StringTable phase of a malicious MSC document, which, when opened the use of MMC, triggers the execution of JavaScript code.
The method now not handiest bypasses ActiveX warnings, it may be mixed with DotNetToJScript to achieve arbitrary code execution. The analyzed pattern makes use of this way to release a .NET loader element dubbed PASTALOADER that in the long run paves the best way for Cobalt Strike.
“After Microsoft disabled Workplace macros through default for internet-sourced paperwork, different an infection vectors like JavaScript, MSI information, LNK items, and ISOs have surged in reputation,” safety researchers Joe Desimone and Samir Bousseaden mentioned.
“Alternatively, those different tactics are scrutinized through defenders and feature a top probability of detection. Attackers have evolved a brand new method to execute arbitrary code in Microsoft Control Console the use of crafted MSC information.”