Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
The new attack vector, named "GrimResource", allows you to execute arbitrary commands using an unpatched XSS vulnerability in Windows and specially created files in the MSC format (Microsoft Saved Console).
Attackers switched to. msc files after Microsoft took a number of security measures that make it difficult to conduct phishing attacks using OneNote shortcuts and files.
Windows MSCs are used in the Management Console (MMC) to configure various components of the operating system, as well as to create a custom view of frequently used tools.
A team of researchers from Elastic has discovered a new technique for distributing MSC files and exploiting an old but unsolved cross-site scripting vulnerability in Windows. Previously, this XSS affecting the library apds.dll, used to install Cobalt Strike.
Elastic specialists found a sample (sccm-updater.msc) uploaded to VirusTotal on June 6, 2024. It turned out that this sample used the GrimResource vector, which means using the technique in real cyber attacks. Interestingly, no antivirus software detected the threat.
Note also that malicious MSC files involved in GrimResource exploit a security hole in the apds.dll, which allows you to execute JavaScript code using specially prepared URLs.
Microsoft found out about this vulnerability back in October 2018, but the corporation then considered that the level of the problem did not meet the criteria suitable for patching.
Elastic also clarified that the mentioned flaw can be used in conjunction with the DotNetToJScript technique. They together allow you to perform .NET code via the JavaScript engine.
Experts shared in the social network X video demonstration GrimResource: https://x.com/SBousseaden/status/1804225219571147140
-----
DBAPPSecurity specialists found that the North Korean group Kimsuky uses MSC files in its attacks to avoid detection and execute malicious code on the target system.
MSC files (Microsoft Saved Console) are used in the MMC console to manage various aspects of the operating system or create custom views of frequently used tools.
When initially uploaded to the VirusTotal platform, no antivirus engine recognized the files as malicious. The technique of infecting hackers that allows you to execute arbitrary code is called GrimResource.
Experts have discovered similar attacks using MSC files aimed at users from China. MSC files exploit an XSS vulnerability in the library apds.dll, which allows you to execute custom JavaScript code in the context of mmc.exe
The MSC file performs these actions by disguising itself as the installation file of the popular Chinese translator YoudaoDict, which requests the execution of malicious code from a remote server and creates tasks for launching additional malware when the user logs in. Ultimately, the attack leads to the delivery of malicious content and remote management of the infected computer.
The analysis showed that the detected samples of MSC files may be related to the Chinese FaCai group, which was detected in April 2024, when it used modified versions of the Gh0st RAT Trojan. Now hackers are actively using MSC files. Further analysis revealed other FaCai files, such as fake Chrome installation files and documents with data about the educational sector. All files used similar techniques and infrastructure to perform malicious actions.
DBAPPSecurity warns users not to open attachments from unknown sources. To check for suspicious files, we recommend using a cloud sandbox, which allows you to safely analyze files in a virtual environment, preventing infection of the main system. In addition, the laboratory recommends updating the relevant products to protect against new threats.
The GrimResource attack came after Microsoft disabled macros in Office by default in July 2022, which caused attackers to experiment with new file types in attacks. Since then, the use of ISO, RAR, and LNK files in malicious campaigns has increased, and now MSC files have been added to this list.
Attackers switched to. msc files after Microsoft took a number of security measures that make it difficult to conduct phishing attacks using OneNote shortcuts and files.
Windows MSCs are used in the Management Console (MMC) to configure various components of the operating system, as well as to create a custom view of frequently used tools.
A team of researchers from Elastic has discovered a new technique for distributing MSC files and exploiting an old but unsolved cross-site scripting vulnerability in Windows. Previously, this XSS affecting the library apds.dll, used to install Cobalt Strike.
Elastic specialists found a sample (sccm-updater.msc) uploaded to VirusTotal on June 6, 2024. It turned out that this sample used the GrimResource vector, which means using the technique in real cyber attacks. Interestingly, no antivirus software detected the threat.
Note also that malicious MSC files involved in GrimResource exploit a security hole in the apds.dll, which allows you to execute JavaScript code using specially prepared URLs.
Microsoft found out about this vulnerability back in October 2018, but the corporation then considered that the level of the problem did not meet the criteria suitable for patching.
Elastic also clarified that the mentioned flaw can be used in conjunction with the DotNetToJScript technique. They together allow you to perform .NET code via the JavaScript engine.
Experts shared in the social network X video demonstration GrimResource: https://x.com/SBousseaden/status/1804225219571147140
-----
DBAPPSecurity specialists found that the North Korean group Kimsuky uses MSC files in its attacks to avoid detection and execute malicious code on the target system.
MSC files (Microsoft Saved Console) are used in the MMC console to manage various aspects of the operating system or create custom views of frequently used tools.
When initially uploaded to the VirusTotal platform, no antivirus engine recognized the files as malicious. The technique of infecting hackers that allows you to execute arbitrary code is called GrimResource.
Experts have discovered similar attacks using MSC files aimed at users from China. MSC files exploit an XSS vulnerability in the library apds.dll, which allows you to execute custom JavaScript code in the context of mmc.exe
The MSC file performs these actions by disguising itself as the installation file of the popular Chinese translator YoudaoDict, which requests the execution of malicious code from a remote server and creates tasks for launching additional malware when the user logs in. Ultimately, the attack leads to the delivery of malicious content and remote management of the infected computer.
The analysis showed that the detected samples of MSC files may be related to the Chinese FaCai group, which was detected in April 2024, when it used modified versions of the Gh0st RAT Trojan. Now hackers are actively using MSC files. Further analysis revealed other FaCai files, such as fake Chrome installation files and documents with data about the educational sector. All files used similar techniques and infrastructure to perform malicious actions.
DBAPPSecurity warns users not to open attachments from unknown sources. To check for suspicious files, we recommend using a cloud sandbox, which allows you to safely analyze files in a virtual environment, preventing infection of the main system. In addition, the laboratory recommends updating the relevant products to protect against new threats.
The GrimResource attack came after Microsoft disabled macros in Office by default in July 2022, which caused attackers to experiment with new file types in attacks. Since then, the use of ISO, RAR, and LNK files in malicious campaigns has increased, and now MSC files have been added to this list.
