5 Shocking Ways Hackers Are Bypassing Security Now (3 Will Make You Sweat)
Hackers are hiding malware in unusual files like MSCs to dodge detection by security software. This “GrimResource” technique exploits a known flaw in Microsoft tools to run malicious code. Even with macro protection on, attackers are finding sneaky ways to gain access to your system.
CONTENTS: 5 Shocking Ways Hackers Are Bypassing Security Now
GrimResource: MSC exploit for MMC libraries
5 Shocking Ways Hackers Are Bypassing Security Now
It sounds like the GrimResource technique represents a significant security concern, leveraging specially crafted MSC files to exploit vulnerabilities in MMC libraries for full code execution.
This approach could potentially bypass security measures and lead to serious consequences like unauthorized access or system compromise. It’s crucial for organizations to stay informed about such threats and ensure their security measures are up to date to mitigate these risks effectively.
Uncommon files exploit bypasses security
The use of uncommon file types like MSC files as a malware distribution vector is becoming more prevalent as adversaries seek to evade Microsoft’s tightened security measures, such as default macro disabling in Office files downloaded from the internet.
Recently, the GrimResource technique has exploited a cross-site scripting (XSS) vulnerability in the apds.dll library to execute arbitrary JavaScript within the MMC context. This flaw, initially reported to Microsoft and Adobe in late 2018, remains unpatched.
Attackers achieve this by manipulating the StringTable section of a malicious MSC file to reference the vulnerable APDS resource. When opened in MMC, this triggers the execution of JavaScript code, illustrating the sophistication and persistence of modern cyber threats.
GrimResource: MSC bypasses macros for Cobalt Strike
The GrimResource technique not only circumvents ActiveX warnings but also utilizes DotNetToJScript to achieve arbitrary code execution. The analyzed sample employs this method to launch a .NET loader component named PASTALOADER, which serves as a precursor to deploying Cobalt Strike.
Since Microsoft’s default disabling of Office macros for internet-sourced documents, alternative infection vectors such as JavaScript, MSI files, LNK objects, and ISOs have gained popularity. However, these methods are closely monitored by defenders and are more likely to trigger detection.
In response, attackers have innovated with a novel approach involving crafted MSC files to execute arbitrary code within Microsoft Management Console, highlighting their adaptability and persistence in evading security measures.
Check out TimesWordle.com for all the latest news
