Hackers are now using custom-made MSC files to abuse a known, but unpatched, Windows cross-site scripting (XSS) vulnerability which could allows them to remotely execute malware or malicious code on target devices.
Cybersecurity researchers from the Elastic team recently spotted threat actors distributing Microsoft Saved Console (MSC) files, which are generally used by the Microsoft Management Console (MMC). This tool handles different parts of the operating system, and can create custom views of commonly accessed tools.
In this case, however, MSC files exploit an old DOM-based XSS flaw, allowing for the execution of arbitrary JavaScript through carefully crafted URLs. The JavaScript code, in turn, ends up deploying a Cobalt Strike beacon for initial access to target networks. However, the researchers are saying it could also be used to run other commands, as well.
Novel ways to drop malware
This is a new command execution technique, the researchers said, which is why they dubbed it “GrimResource”.
Who the attackers are, or how they usually deliver these MSC files to their victims was not discussed. However, it is safe to assume that they are doing it through usual channels, such as phishing, instant messaging, social engineering, fake landing pages, and similar.
Threat actors were essentially pushed into discovering new ways to deploy malware, since Microsoft disabled macros on Office files downloaded from the internet.
Macros were, by far, the most popular attack vector, as they allowed hackers to deploy malware through innocent-looking Office documents (Word, Excel, and PowerPoint files). When that method no longer worked, they pivoted towards shortcut files (.LNK), image files (ISO) wrapped in a .ZIP or similar archive, and more. These file types did not properly propagate Mark of the Web (MoTW) flags to extracted files, allowing the malware to pass certain safety checks.
Now, since most of these methods are no longer as effective, hackers came up with something new.
Via BleepingComputer
More from TechRadar Pro
- Microsoft Office is now blocking macros by default
- Here’s a list of the best firewalls today
- These are the best endpoint protection tools right now