Hackers exploit an unusual attack methodology that uses specially crafted MSC (Microsoft Saved Console) files to obtain full code execution via the Microsoft Management Console (MMC) and evade security defences.
The researchers identified an artifact (sccm-updater.msc) that was uploaded to the VirusTotal malware scanning platform on June 6, 2024.
The GrimResource method uses an old XSS vulnerability in the ‘apds.dll’ library, which allows the execution of arbitrary JavaScript via a crafted URL. The infected MSC file has a reference to the vulnerable APDS resource in the StringTable section, which is processed and triggers the JavaScript in the context of ‘mmc.exe’ when the target opens the file.
The attack method uses ‘transformNode’ obfuscation to bypass ActiveX warnings. The researchers further stated that the XSS flaw can be combined with DotNetToJScript to gain arbitrary code execution, possibly leading to cases such as system hijack and unauthorised access.
Although the flaw was reported to Microsoft and Adobe in October 2018, prompting investigations from both, Microsoft flagged it as a case that did not meet the criteria for immediate patching. The vulnerability remains unpatched to this day.
Microsoft disabled macros by default in Office in July 2022, enabling attackers to experiment with new file types such as JavaScript, MSI files, LNK objects, and ISOs. The use of such file types can be viewed as an attempt by threat actors to climb over Microsoft’s security fence in recent years.
After macros were disabled, attackers first switched to ISO images and password-protected ZIP files, as the file types did not appropriately propagate Mark of the Web (MoTW) flags to extracted files. After the company fixed the issue in ISO and 7-ZIP added a feature to propagate MoTW flags, attackers switched to OneNote and Windows Shortcuts.
Cybercriminals have now switched to MSC files, which the MMC uses to manage several aspects of the operating system or create custom views of used tools. In May 2024, the South Korean cybersecurity firm Genian reported the exploitation of MSC files.
In the News: Tesla recalls over 20,000 Cybertrucks to fix wiper and trim issues