After Microsoft’s well founded decision to disable office macros on files sourced from the internet, one of the most widely used techniques by attackers to deliver malware was disarmed. Spearphishers were sent scrambling to find alternate techniques to gain footholds on victim PCs. Many new techniques have since surfaced to fill the void left by this development, the latest of which dubbed “GrimResource”, we will explore in this post.
Macros are special-purpose programs used to automate procedures within a bigger application or software. Embedding malware-loaders in these macros was, and continues to be, albeit now to a lesser extent, a very popular technique used by hackers to gain initial footholds to load more potent malware on victim PCs.
GrimResource is a technique that leverages specially configured MSC files along with an old, unpatched, windows XSS flaw to allow attackers to gain command execution on Windows systems.
MSC files are snap-in control panel files that are executed by the Microsoft Management Console (MMC).
XSS(Cross Site Scripting) flaws enable attackers to inject client-side scripts into web pages viewed by other users.
The key to the technique lies in the aforementioned XSS flaw present in the apds.dll library. By adding a reference to this library in the StringTable section of a crafted MSC file, attackers can execute arbitrary JavaScript code in the context of MMC.
The first sample identified in The Wild, when uploaded to Virus Total, came up with 0 detections.
The Wild is used by cybersecurity experts to refer to the Cyberspace in the real-world outside of controlled research environments.
Here is how it works:
- The sample uses the transformNode obfuscation technique which aids in evading ActiveX security warnings.
- This leads to an obfuscated VBScript which sets the target payload in a series of environment variables.
- Following this, it leverages DotNetToJs to execute an embedded .NET loader, dubbed PASTALOADER, which retrieves the payload from the environment variables set in the previous step.
- Finally, the loader triggers a new instance of dllhost.exe and injects the payload into it. This is done using the deliberately stealthy DirtyCLR technique, function unhooking, and indirect syscalls.
- The final payload delivered, in this case, is Cobalt Strike.
- A much deeper technical analysis of this technique by the researchers who originally discovered it can be found here.
It is important that techniques and cases like this be brought to the attention of the general public in simple language. This is what I hope to achieve with Decrypting. Simplify Security.
Stay Secure and do not open unknown files.