The GrimResource attack begins with a malicious MSC file that attempts to exploit an old DOM-based cross-site scripting (XSS) flaw in the 'apds.dll' library, which allows the execution of arbitrary JavaScript through a crafted URL. The vulnerability was reported to Adobe and Microsoft in October 2018, and while both investigated, Microsoft determined that the case did not meet the criteria for immediate fixing. As of March 2019, the XSS flaw remained unpatched, and it is unclear if it was ever addressed. BleepingComputer contacted Microsoft to confirm if they patched the flaw, but a comment wasn’t immediately available.
The malicious MSC file distributed by attackers contains a reference to the vulnerable APDS resource in the StringTable section, so when the target opens it, MMC processes it and triggers the JS execution in the context of 'mmc.exe'.
Reference to apds.dll Redirect in StringTable
Elastic explains that the XSS flaw can be combined with the 'DotNetToJScript' technique to execute arbitrary .NET code through the JavaScript engine, bypassing any security measures in place. The examined sample uses 'transformNode' obfuscation to evade ActiveX warnings, while the JS code reconstructs a VBScript that uses DotNetToJScript to load a .NET component named 'PASTALOADER'.
PASTALOADER retrieves a Cobalt Strike payload from the environment variables set by the VBScript, spawns a new instance of 'dllhost.exe,' and injects it using the 'DirtyCLR' technique combined with function unhooking and indirect system calls.
Elastic researcher Samir Bousseaden shared a demonstration of the GrimResource attack on X.
Stopping GrimResource
In general, system administrators are advised to be on the lookout for the following:
- File operations involving apds.dll invoked by mmc.exe.
- Suspicious executions via MCC, especially processes spawned by mmc.exe with .msc file arguments.
- RWX memory allocations by mmc.exe that originate from script engines or .NET components.
- Unusual .NET COM object creation within non-standard script interpreters like JScript or VBScript.
- Temporary HTML files created in the INetCache folder as a result of APDS XSS redirection.
Elastic Security has also published a complete list of GrimResource indicators on GitHub and provided YARA rules in the report to help defenders detect suspicious MSC files.