Hackers are now using custom MSC files to exploit a known but unpatched Windows cross-site scripting (XSS) vulnerability, allowing them to remotely execute malware or malicious code on target devices.
Cybersecurity researchers on the Elastic team recently noticed threat actors distributing Microsoft Saved Console (MSC) files, which are typically used by the Microsoft Management Console (MMC). This tool handles various parts of the operating system and can create custom views of commonly used tools.
In this case, however, MSC files exploit an old DOM-based XSS flaw, allowing arbitrary JavaScript to be executed via carefully crafted URLs. The JavaScript code, in turn, ultimately deploys a Cobalt Strike beacon for initial access to target networks. However, the researchers say it can also be used to perform other commands.
New ways to remove malware
This is a new technique for executing commands, the researchers said, which is why they called it “GrimResource.”
Who the attackers are, or how they typically deliver these MSC files to their victims, was not discussed. However, it is safe to assume that they do this through the usual channels such as phishing, instant messaging, social engineering, fake landing pages and the like.
Threat actors were essentially forced to discover new ways to deploy malware as Microsoft disabled macros on Office files downloaded from the Internet.
Macros were by far the most popular attack vector, as they allowed hackers to deploy malware through innocuous-looking Office documents (Word, Excel, and PowerPoint files). When that method no longer worked, they turned to shortcut files (.LNK), image files (ISO) packaged in a .ZIP or similar archive, and more. These file types did not properly pass the Mark of the Web (MoTW) flags to the extracted files, allowing the malware to pass certain security checks.
Since most of these methods are no longer as effective, hackers have come up with something new.
Through BleepingComputer