Some not well-known cyber criminals they are exploiting a new attack technique which uses file management console filesAnd (MSC) specially created to achieve full code execution using Microsoft Management Console (MMC) and evade security defenses.

How Windows File Management Console is Attacked

Elastic Security Labs has called this GrimResource technique after identifying an artifact (“sccm-updater.msc“) which was uploaded to the VirusTotal malware scanning platform on June 6, 2024.

“When a maliciously crafted console file is imported, a vulnerability in one of the MMC libraries can lead to the execution of adversary code, including malware“the company said in a statement shared on its site.

Security firm Elastic Security Labs then added: “Attackers can combine this technique with DotNetToJScript to achieve arbitrary code execution, which can lead to unauthorized access, system takeover, and more.”

The attack on the Windows file console occurs via files with rarely used extensions

The use of uncommon file types as malware delivery vectors is seen as an alternative attempt by adversaries to bypass malware defenses. safety erect by Microsoft in recent years, including the disable macros by default in Office files downloaded from the internet.

Last month, South Korean cybersecurity firm Genians detailed the use of a malicious MSC file by the hacking group known as Kimsuky linked to North Korea to distribute malware.

GrimResource, on the other hand, exploits a cross-site scripting (XSS) vulnerability in the apds.dll library to execute arbitrary JavaScript code in the context of MMC.; the XSS vulnerability was originally reported to Microsoft and Adobe in late 2018, although it remains incorrect to this day.

The implications of some scripts written in JavaScript

This is accomplished by adding a reference to the vulnerable APDS resource in the StringTable section of a malicious MSC file which, when opened using MMC, triggers JavaScript code execution.

The technique not only bypasses ActiveX warnings, but it can be combined with DotNetToJScript to achieve arbitrary code execution; the analyzed sample uses this approach to launch a .NET loader component called PASTALOADER that ultimately paves the way for Cobalt Strike.

example of File Management Console on Windows 11

“After Microsoft has disabled Office macros for documents from the internet, other infection vectors such as JavaScript, MSI files, LNK objects and ISO have increased in popularity“said security researchers Joe Desimone and Samir Bousseaden.

The researchers later concluded: “However, these other techniques are carefully scrutinized by defenders and have a high probability of being detected. Attackers developed a new technique to execute arbitrary code in Microsoft Management Console using specially crafted MSC files.”

How to defend yourself from any similar attacks, not only from the Windows console

To defend against these types of attacks, it is essential to take some basic security measures: Firstit is important to keep your system software and all applications up to date, as patches and updates often address known vulnerabilities. Furthermore, it is crucial to use reliable antivirus software (Windows Defender is already good, but a little help from Malwarebytes doesn’t hurt) and updated that it can detect and block suspicious MSC files.

Users should be cautious about opening files from unverified or unknown sources, especially those with unusual extensions like MSC; implementing security policies that limit user privileges can help prevent malware or malicious code from spreading within your system.

Very important thing: Do not download or click on misleading links.

Finally, ongoing training and user awareness are essential to recognize and avoid potential threats, thus reducing the risk of successful attacks.