GrimResource: A New Cybersecurity Threat Exploiting Microsoft Management Console
Elastic Security Labs has recently uncovered a novel cyberattack technique dubbed “GrimResource,” which leverages specially crafted MSC files to gain unauthorized code execution within Microsoft Management Console (mmc.exe).
The GrimResource technique capitalizes on an old cross-site scripting (XSS) vulnerability in the apds.dll library, enabling attackers to execute arbitrary JavaScript code within mmc.exe with minimal security warnings. This makes it an ideal tool for gaining initial access to systems and evading traditional security defenses.
Elastic Security Labs’ analysis reveals that the GrimResource technique involves a series of sophisticated steps, including obfuscation, VBScript execution, and the utilization of a .NET loader dubbed PASTALOADER. The final payload, in the analyzed sample, was the notorious Cobalt Strike penetration testing framework, often leveraged by malicious actors for post-exploitation activities.
The GrimResource infection process is intricate and meticulously designed to evade detection:
- Obfuscation Technique: The attack begins with a transformNode obfuscation method, similar to those observed in recent macro samples, which helps bypass ActiveX security warnings.
- Embedded VBScript: The obfuscation leads to an embedded VBScript, which sets the target payload in a series of environment variables.
- DotNetToJs Execution: The VBScript leverages the DotNetToJs technique to execute an embedded .NET loader, named PASTALOADER by Elastic researchers.
- Payload Retrieval: PASTALOADER retrieves the payload from the environment variables set by the VBScript.
- Stealthy Injection: PASTALOADER then spawns a new instance of dllhost.exe and stealthily injects the payload using techniques like DirtyCLR, function unhooking, and indirect syscalls. The final payload in the observed sample is Cobalt Strike, a known post-exploitation tool.
Elastic Security Labs has provided comprehensive analysis and detection guidance to help the cybersecurity community protect against this new threat. Their defense-in-depth approach has proven effective, but vigilance and adaptation are crucial as such techniques proliferate. For detailed technical insights and detection strategies, refer to the full report by Elastic Security Labs.