New Attack Technique Exploits Microsoft Management Console Files
Vulnerability and Threat Detection
Hackers are using a new attack method that takes advantage of a problem in Microsoft Management Console (MMC) files. By creating special management saved console (MSC) files, they can control your computer and avoid security measures.
The research team at Elastic Security Labs has named this method GrimResource. They discovered it when a suspicious file named "sccm-updater.msc" was found on VirusTotal, a malware scanning website, on June 6, 2024.
"When a harmful console file is used, a problem in one of the MMC libraries can allow the hacker to run their own code, which could include dangerous software," the security team explained.
This method works well with a technique called DotNetToJScript, making it easier for hackers to take over systems and access them without permission.
What It Means for You
Using unusual file types like MSC files to spread malware is a way for hackers to bypass recent security updates from Microsoft. For example, Microsoft has made Office files from the internet safer by turning off macros by default.
Just last month, a South Korean cybersecurity company called Genians spotted North Korean hackers using a harmful MSC file to spread malware.
How They Do It
GrimResource takes advantage of a cross-site scripting (XSS) problem in the apds.dll library. This allows hackers to run any JavaScript code they want within MMC. Although this problem was reported to Microsoft and Adobe back in 2018, it still hasn’t been fixed.
Hackers do this by adding a reference to the vulnerable APDS resource in a section called StringTable of the malicious MSC file. When you open this file using MMC, it runs the JavaScript code automatically.
This not only avoids warnings about ActiveX controls but can also be paired with DotNetToJScript to run any code the hacker wants. The specific example found uses this trick to run a .NET loader called PASTALOADER, which eventually installs a dangerous tool called Cobalt Strike.
Rising Threats
"As Microsoft has disabled Office macros by default for documents from the internet, hackers are relying more on other ways to infect computers, like JavaScript, MSI files, LNK objects, and ISOs," said security experts Joe Desimone and Samir Bousseaden.
"However, these methods are closely watched by defenders and are often detected. That's why hackers have developed this new way to run code in Microsoft Management Console using crafted MSC files."
What You Should Do
- Update Regularly: Make sure all your software is up-to-date.
- Avoid Suspicious Files: Do not open files from unknown sources.
- Use Security Tools: Invest in good antivirus and security software.
- Keep Informed: Stay updated on the latest security threats and recommendations.
By knowing the risks and taking steps to protect yourself, you can better defend against these new and evolving threats.
