‘GrimResource’ Technique Exploits Windows XSS Flaw for Command Execution via MSC Files

by | Jun 25, 2024 | News

'GrimResource' Technique Exploits Windows XSS Flaw for Command Execution via MSC Files

Post Views: 558




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

A novel command execution technique, dubbed ‘GrimResource,’ leverages specially crafted Microsoft Saved Console (MSC) files and an unpatched Windows cross-site scripting (XSS) flaw to perform code execution via the Microsoft Management Console (MMC).

In July 2022, Microsoft disabled macros by default in Office, prompting threat actors to experiment with new file types in phishing attacks. Initially, attackers switched to ISO images and password-protected ZIP files, as these file types did not propagate Mark of the Web (MoTW) flags to extracted files. However, after Microsoft addressed this issue for ISO files and 7-Zip added MoTW flag propagation, attackers sought new methods, turning to Windows Shortcuts and OneNote files.

Now, attackers have adopted Windows MSC (.msc) files, used in MMC to manage various aspects of the operating system or create custom views of commonly accessed tools. The abuse of MSC files for malware deployment was previously reported by South Korean cybersecurity firm Genian. Inspired by this research, the Elastic team discovered a new technique for distributing MSC files and exploiting an old but unpatched Windows XSS flaw in apds.dll to deploy Cobalt Strike.

Elastic identified a sample (‘sccm-updater.msc’) uploaded to VirusTotal on June 6, 2024, demonstrating the active exploitation of GrimResource. Alarmingly, no antivirus engines on VirusTotal flagged it as malicious.

This campaign currently utilizes the technique to deploy Cobalt Strike for initial network access, though it could also execute other commands. Researchers confirmed to BleepingComputer that the XSS flaw remains unpatched in the latest Windows 11 version.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

How GrimResource Works

The GrimResource attack begins with a malicious MSC file designed to exploit a DOM-based XSS flaw in the ‘apds.dll’ library, enabling arbitrary JavaScript execution through a crafted URL. This vulnerability was reported to Adobe and Microsoft in October 2018. Although both companies investigated, Microsoft decided the flaw did not meet the criteria for immediate fixing. As of March 2019, the XSS flaw was still unpatched. BleepingComputer has reached out to Microsoft for confirmation on whether the flaw has been addressed, but no comment was immediately available.

The malicious MSC file references the vulnerable APDS resource in the StringTable section. When opened, MMC processes the file, triggering JavaScript execution in the context of ‘mmc.exe.’

Reference to apds.dll redirect in StringTableReference to apds.dll redirect in StringTable
Source: Elastic Security

Elastic explains that the XSS flaw can be combined with the ‘DotNetToJScript’ technique to execute arbitrary .NET code through the JavaScript engine, bypassing security measures. The examined sample uses ‘transformNode’ obfuscation to evade ActiveX warnings. The JavaScript code reconstructs a VBScript, which employs DotNetToJScript to load a .NET component named ‘PASTALOADER.’

The malicious VBScript fileThe malicious VBScript file
Source: Elastic Security

PASTALOADER retrieves a Cobalt Strike payload from environment variables set by the VBScript, spawns a new instance of ‘dllhost.exe,’ and injects it using the ‘DirtyCLR’ technique, which includes function unhooking and indirect system calls.

Cobalt Strike injected into dllhost.exeCobalt Strike injected into dllhost.exe
Source: Elastic Security

Elastic researcher Samir Bousseaden shared a demonstration of the GrimResource attack on X.

https://x.com/SBousseaden/status/1804225219571147140

Trending: How Companies Risk Security for Compliance Comfort in Pentesting




Trending: Offensive Security Tool: Freeway

Stopping GrimResource

System administrators are advised to be vigilant for the following indicators:

  • File operations involving apds.dll invoked by mmc.exe.
  • Suspicious executions via MMC, especially processes spawned by mmc.exe with .msc file arguments.
  • RWX memory allocations by mmc.exe originating from script engines or .NET components.
  • Unusual .NET COM object creation within non-standard script interpreters like JScript or VBScript.
  • Temporary HTML files in the INetCache folder resulting from APDS XSS redirection.

Elastic Security has published a comprehensive list of GrimResource indicators on GitHub and provided YARA rules to help defenders detect suspicious MSC files.

Trending: DISGOMOJI: New Linux Malware Uses Emojis for Command Execution

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This