Microsoft console files are being exploited to let hackers gain access to private systems

News
By
published

MSC files used to target a known Windows flaw

Hackers are now using custom-made MSC files to abuse a known, but unpatched, Windows cross-site scripting (XSS) vulnerability which could allows them to remotely execute malware or malicious code on target devices.

Cybersecurity researchers from the Elastic team recently spotted threat actors distributing Microsoft Saved Console (MSC) files, which are generally used by the Microsoft Management Console (MMC). This tool handles different parts of the operating system, and can create custom views of commonly accessed tools. 

In this case, however, MSC files exploit an old DOM-based XSS flaw, allowing for the execution of arbitrary JavaScript through carefully crafted URLs.  The JavaScript code, in turn, ends up deploying a Cobalt Strike beacon for initial access to target networks. However, the researchers are saying it could also be used to run other commands, as well.

Novel ways to drop malware

This is a new command execution technique, the researchers said, which is why they dubbed it “GrimResource”.

Who the attackers are, or how they usually deliver these MSC files to their victims was not discussed. However, it is safe to assume that they are doing it through usual channels, such as phishing, instant messaging, social engineering, fake landing pages, and similar.

Threat actors were essentially pushed into discovering new ways to deploy malware, since Microsoft disabled macros on Office files downloaded from the internet. 

Macros were, by far, the most popular attack vector, as they allowed hackers to deploy malware through innocent-looking Office documents (Word, Excel, and PowerPoint files). When that method no longer worked, they pivoted towards shortcut files (.LNK), image files (ISO) wrapped in a .ZIP or similar archive, and more. These file types did not properly propagate Mark of the Web (MoTW) flags to extracted files, allowing the malware to pass certain safety checks.

Now, since most of these methods are no longer as effective, hackers came up with something new.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.