Heimdal
article featured image

Contents:

New GrimResource technique exploits a 2018-old, unpatched, Windows XSS flaw and crafted MSC files to deploy malware via the Microsoft Management Console (MMC).

Researchers detected the new exploitation technique in the wild on June 6th, 2024. Exploiting the Microsoft Management Console could enable hackers to evade security measures and gain initial access.

Although researchers reported finding the vulnerability in October 2018, the flaw still affects the latest Windows 11 version and didn’t receive a patch.

The GrimResource code execution technique explained

The first step in this complex process is the hackers tricking their target to click on a forged MSC file. Reportedly, researchers observed how the attackers contact their victim on Facebook and have them downloading a Word document.

The document is actually an MSC file that mimics a Word document. The hackers forged the file’s icon so that it looks like a Word, not an MSC document. They also changed the “Run” button to “Open”, to avoid raising suspicion.

When the victim clicks “Open”, the GrimResource technique exploits a cross-site scripting (XSS) vulnerability in the apds.dll library. By using it along with crafted MSC files, hackers can execute arbitrary JavaScript in the context of mmc.exe.

Further on, they use DotNetToJScript to execute a .NET loader dubbed PASTALOADER. The loader retrieves the payload from environment variables and injects it into a new dllhost.exe instance. One of the final payloads the researchers observed was Cobalt Strike.

grimresource string of commands

Source – Cyberinsider.com

How to detect a GrimResource operation

To detect a potential GrimResource attack, System Administrators should check:

  • File operations that involve apds.dll invoked by mmc.exe.
  • Suspicious executions via MCC, like processes spawned by mmc.exe with .msc file arguments.
  • RWX memory allocations by mmc.exe that originate from script engines or .NET components.
  • Unusual .NET COM object creation within non-standard script interpreters like JScript or VBScript.
  • Temporary HTML files created in the INetCache folder as a result of APDS XSS redirection.

Threat detection helps keeping safe your environment, but preventing the threat works better. Just like many other attacks, the GrimResource also relies on online malicious communication.

Using a DNS filtering tool helps spot and block harmful connections before the hackers get to enter your system. Heimdal’s predictive DNS has a 96% accuracy rate in detecting malicious domains even if they weren’t yet listed as such.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE