A novel command execution technique dubbed 'GrimResource' uses specially crafted MSC (Microsoft Saved Console) and an unpatched Windows XSS flaw to perform code execution via the Microsoft Management Console.
In July 2022,
Microsoft disabled macros by default in Office, causing threat actors to experiment with new file types in phishing attacks. The attackers first switched to ISO images and password-protected ZIP files, as the file types did not properly propagate Mark of the Web (MoTW) flags to extracted files.
After
Microsoft fixed this issue in ISO files and
7-Zip added the option to propagate MoTW flags, attackers were forced to switch to new attachments, such as
Windows Shortcuts and
OneNote files.
Attackers have now switched to a new file type, Windows MSC (.msc) files, which are used in the Microsoft Management Console (MMC) to manage various aspects of the operating system or create custom views of commonly accessed tools.
The abuse of MSC files to deploy malware was previously reported by South Korean cybersecurity firm
Genian. Motivated by this research, the
Elastic team discovered a new technique of distributing MSC files and abusing an old but unpatched Windows XSS flaw in apds.dll to deploy Cobalt Strike.
