We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

New attack uses MSC files and Windows XSS flaw to breach networks

June 24, 2024

How GrimResource works

The GrimResource attack begins with a malicious MSC file that attempts to exploit an old DOM-based cross-site scripting (XSS) flaw in the ‘apds.dll’ library, which allows the execution of arbitrary JavaScript through a crafted URL.
The vulnerability was reported to Adobe and Microsoft in October 2018, and while both investigated, Microsoft determined that the case did not meet the criteria for immediate fixing.
As of March 2019, the XSS flaw remained unpatched, and it is unclear if it was ever addressed. BleepingComputer contacted Microsoft to confirm if they patched the flaw, but a comment wasn’t immediately available.
The malicious MSC file distributed by attackers contains a reference to the vulnerable APDS resource in the StringTable section, so when the target opens it, MMC processes it and triggers the JS execution in the context of ‘mmc.exe.’

Reference to apds.dll redirect in StringTable
Source: Elastic Security

Elastic explains that the XSS flaw can be combined with the ‘DotNetToJScript’ technique to execute arbitrary .NET code through the JavaScript engine, bypassing any security measures in place.
The examined sample uses ‘transformNode’ obfuscation to evade ActiveX warnings, while the JS code reconstructs a VBScript that uses DotNetToJScript to load a .NET component named ‘PASTALOADER.’

The malicious VBScript file
Source: Elastic Security

PASTALOADER retrieves a Cobalt Strike payload from the environment variables set by the VBScript, spawns a new instance of ‘dllhost.exe,’ and injects it using the ‘DirtyCLR’ technique combined with function unhooking and indirect system calls.

Cobalt Strike injected into dllhost.exe
Source: Elastic Security

Elastic researcher Samir Bousseaden shared a demonstration of the the GrimResource attack on X.

Demonstration of the GrimResource attack

Stopping GrimResource

In general, system administrators are advised to be on the lookout for the following:

  • File operations involving apds.dll invoked by mmc.exe.
  • Suspicious executions via MCC, especially processes spawned by mmc.exe with .msc file arguments.
  • RWX memory allocations by mmc.exe that originate from script engines or .NET components.
  • Unusual .NET COM object creation within non-standard script interpreters like JScript or VBScript.
  • Temporary HTML files created in the INetCache folder as a result of APDS XSS redirection.

Elastic Security has also published a complete list of GrimResource indicators on GitHub and provided YARA rules in the report to help defenders detect suspicious MSC files.

Winsage
New attack uses MSC files and Windows XSS flaw to breach networks