Hackers Use Windows XSS Flaw To Execute Arbitrary Command In MMC Console

The shift in attack vectors includes JavaScript, MSI files, LNK objects, and ISOs, as Microsoft has disabled Office macros in documents downloaded from the Internet.

Some sophisticated attackers are now using other undisclosed methods to go unnoticed.

The Elastic team of security researchers has spotted a new kind of infection, dubbed “GrimResource,” that uses MSC files to run code inside mmc.exe when a user interacts with such a modified file.

The Virus Total discovered this technique for the first time on June 6th, reflecting a continuing evolution in malware delivery mechanisms responding to enhanced security features.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Technical Analysis

The GrimResource technique exploits an ancient XSS vulnerability in the apds.dll library, allowing arbitrary JavaScript execution within mmc.exe upon opening specifically crafted MSC files. 

DotNetToJScript combined with it leads to arbitrary code execution. A sample of this type, initially unknown to VirusTotal, involves transformNode obfuscation and embedded VBScript to set up the attack. 

Then, a custom loader called PASTALOADER was introduced that retrieves the payload from environment variables and injects it into a new dllhost.exe instance through stealthy methods such as DirtyCLR, function unhooking, and indirect syscalls.

PASTALOADER loader (Source – Elastic)

Cobalt Strike was the final payload showing how sophisticated this new attack vector is.

The GrimResource technique was detected in many ways, such as suspicious execution monitoring through Microsoft Common Console, non-standard Windows Script Interpreters’ .NET COM object creation detection, and MMC Console File script execution observation.

In the main technique, apds.dll executes JavaScript via XSS, which can be detected through file open events. Additional forensic artifacts, such as temporary HTML files created in the INetCache folder, are also present.

Although some behaviors, like mmc.exe loading certain DLLs, may be normal, malicious activity can be identified by combining these indicators.

mmc.exe allocating RWX memory (Source – Elastic)

These detections span various parts of the attack chain from initial execution to payload delivery and create a comprehensive means of identifying this advanced technique.

This new form of attack involves using modified MSC files to run arbitrary code on Microsoft Management Console.

Security experts recommend defenders implement practical detection guidance against this technique before it’s adopted by most threat actors targeting the commodity market.

Consequently, this highlights the need for proactive security measures in response to ever-changing cyber threats.

Observables

Observables (Source – Elastic)

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.