Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,170
- Points
- 113
Microsoft's actions forced North Korea to use system files to attack Windows.
DBAPPSecurity specialists found that the North Korean group Kimsuky uses MSC files in its attacks to avoid detection and execute malicious code on the target system.
MSC files (Microsoft Saved Console) are used in the MMC console to manage various aspects of the operating system or create custom views of frequently used tools.
When initially uploaded to the VirusTotal platform, no antivirus engine recognized the files as malicious. The technique of infecting hackers that allows you to execute arbitrary code is called GrimResource.
Experts have discovered similar attacks using MSC files aimed at users from China. MSC files exploit an XSS vulnerability in the library apds.dll, which allows you to execute custom JavaScript code in the context of mmc.exe
The MSC file performs these actions by disguising itself as the installation file of the popular Chinese translator YoudaoDict, which requests the execution of malicious code from a remote server and creates tasks for launching additional malware when the user logs in. Ultimately, the attack leads to the delivery of malicious content and remote management of the infected computer.
The analysis showed that the detected samples of MSC files may be related to the Chinese FaCai group, which was detected in April 2024, when it used modified versions of the Gh0st RAT Trojan. Now hackers are actively using MSC files. Further analysis revealed other FaCai files, such as fake Chrome installation files and documents with data about the educational sector. All files used similar techniques and infrastructure to perform malicious actions.
DBAPPSecurity warns users not to open attachments from unknown sources. To check for suspicious files, we recommend using a cloud sandbox, which allows you to safely analyze files in a virtual environment, preventing infection of the main system. In addition, the laboratory recommends updating the relevant products to protect against new threats.
The GrimResource attack came after Microsoft disabled macros in Office by default in July 2022, which caused attackers to experiment with new file types in attacks. Since then, the use of ISO, RAR, and LNK files in malicious campaigns has increased, and now MSC files have been added to this list.
Source
DBAPPSecurity specialists found that the North Korean group Kimsuky uses MSC files in its attacks to avoid detection and execute malicious code on the target system.
MSC files (Microsoft Saved Console) are used in the MMC console to manage various aspects of the operating system or create custom views of frequently used tools.
When initially uploaded to the VirusTotal platform, no antivirus engine recognized the files as malicious. The technique of infecting hackers that allows you to execute arbitrary code is called GrimResource.
Experts have discovered similar attacks using MSC files aimed at users from China. MSC files exploit an XSS vulnerability in the library apds.dll, which allows you to execute custom JavaScript code in the context of mmc.exe
The MSC file performs these actions by disguising itself as the installation file of the popular Chinese translator YoudaoDict, which requests the execution of malicious code from a remote server and creates tasks for launching additional malware when the user logs in. Ultimately, the attack leads to the delivery of malicious content and remote management of the infected computer.
The analysis showed that the detected samples of MSC files may be related to the Chinese FaCai group, which was detected in April 2024, when it used modified versions of the Gh0st RAT Trojan. Now hackers are actively using MSC files. Further analysis revealed other FaCai files, such as fake Chrome installation files and documents with data about the educational sector. All files used similar techniques and infrastructure to perform malicious actions.
DBAPPSecurity warns users not to open attachments from unknown sources. To check for suspicious files, we recommend using a cloud sandbox, which allows you to safely analyze files in a virtual environment, preventing infection of the main system. In addition, the laboratory recommends updating the relevant products to protect against new threats.
The GrimResource attack came after Microsoft disabled macros in Office by default in July 2022, which caused attackers to experiment with new file types in attacks. Since then, the use of ISO, RAR, and LNK files in malicious campaigns has increased, and now MSC files have been added to this list.
Source
