Organizations Beware of New GrimResource Attack
Reports from BleepingComputer have highlighted a concerning new attack technique that could compromise organizations’ networks. The GrimResource command execution attack exploits a Windows cross-site scripting vulnerability that has remained unpatched since its discovery in 2018, making it a serious threat to cybersecurity.
According to a report from Elastic Security Labs, the attack begins with a malicious MSC file targeting a DOM-based XSS flaw in the ‘apds.dll’ library. This vulnerability can be combined with the ‘DotNetToJScript’ technique to enable arbitrary .NET code execution and the deployment of a Cobalt Strike payload in the Microsoft Management Console.
System administrators are advised to be vigilant for signs of the GrimResource technique being exploited. This includes monitoring file operations involving mmc.exe-invoked apds.dll, suspicious mmc.exe RWX memory allocations, atypical .NET COM objects, and temporary HTML files resulting from APDS XSS redirection.
Elastic Security researchers have also provided YARA rules to help organizations detect suspicious MSC files, offering a proactive approach to defending against this sophisticated cyber threat.
