Microsoft console files are being exploited to let hackers gain access to private systems

MSC files used to target a known Windows flaw

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are now using custom-made MSC files to abuse a known, but unpatched, Windows cross-site scripting (XSS) vulnerability which could allows them to remotely executemalwareor malicious code on target devices.

Cybersecurity researchers from the Elastic team recently spotted threat actors distributingMicrosoftSaved Console (MSC) files, which are generally used by the Microsoft Management Console (MMC). This tool handles different parts of theoperating system, and can create custom views of commonly accessed tools.

In this case, however, MSC files exploit an old DOM-based XSS flaw, allowing for the execution of arbitrary JavaScript through carefully crafted URLs.  The JavaScript code, in turn, ends up deploying a Cobalt Strike beacon for initial access to target networks. However, the researchers are saying it could also be used to run other commands, as well.

Novel ways to drop malware

This is a new command execution technique, the researchers said, which is why they dubbed it “GrimResource”.

Who the attackers are, or how they usually deliver these MSC files to their victims was not discussed. However, it is safe to assume that they are doing it through usual channels, such as phishing, instant messaging, social engineering, fake landing pages, and similar.

Threat actors were essentially pushed into discovering new ways to deploy malware, since Microsoft disabled macros on Office files downloaded from the internet.

Macros were, by far, the most popular attack vector, as they allowed hackers to deploy malware through innocent-looking Office documents (Word, Excel, and PowerPoint files). When that method no longer worked, they pivoted towards shortcut files (.LNK), image files (ISO) wrapped in a .ZIP or similar archive, and more. These file types did not properly propagate Mark of the Web (MoTW) flags to extracted files, allowing the malware to pass certain safety checks.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Now, since most of these methods are no longer as effective, hackers came up with something new.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)