Elastic Security Labs researchers have identified a new cyberattack method called GrimResource, which targets the Microsoft Management Console (MMC) using specially crafted management saved console (MSC) files. This technique, uncovered from a sample uploaded to VirusTotal on June 6, has yet to be detected by static antivirus tools. GrimResource leverages an old XSS flaw in the apds.dll library, allowing attackers to execute arbitrary JavaScript in the context of mmc.exe. By embedding malicious code in the MSC files and using obfuscation techniques, attackers can evade security warnings and gain full code execution.
The attack begins with a TransformNode obfuscation technique that hides the malicious code within a VBScript. This VBScript sets environment variables that enable the DotNetToJScript method to execute an embedded .NET loader, named PASTALOADER, which ultimately injects the payload into a new instance of dllhost.exe. This stealthy approach uses various techniques, including DirtyCLR, function unhooking, and indirect syscalls, to evade detection. The final payload is Cobalt Strike, a well-known penetration testing tool. To counter GrimResource, Elastic Security Labs has provided EQL and YARA detection rules to help defenders identify and mitigate this sophisticated threat before it becomes widespread.