After Microsoft finally disabled macros by default for files which bear the ‘Mark of the Web’ (MotW) flag, threat actors adapted by changing their initial infection vector. After initially switching to ISO and ZIP files, to MSI and LNK files, and now to MSC1 (Management Saved Console) files. MSC files are related to the Microsoft Management Console which is used in the SCCM (System Center Configuration Manager) service. This service is commonly used in enterprise environments. Threat actors have now begun to adopt this readily available resource, as they did with PowerShell and C.
The overall pattern is still much the same for phishing attacks; a threat actor creates a malicious file, uploads it to a file-sharing platform, usually OneDrive. The threat actor sends out millions of emails to potential victims with prompts to download a file, typically a file made to look like an invoice. This is where things have changed recently. Rather than download a malicious ISO, ZIP, LNK or MSI file, we are seeing MSC files disguised as Word documents.
This newly popularized attack method is what some researchers are dubbing ‘GrimResource’2. When a user downloads and executes the MSC file, the file can run arbitrary code. The key to this attack is the exploitation of a vulnerability from October 2018 related to the ‘apds.dll’ library3. The MSC file exploits this vulnerability by adding a line of JavaScript code, calls out to the Command and Control (C2) server for instructions, then carries it out on the infected host.
When this file was first uploaded to VirusTotal on June 6, 2024, no security engines flagged the file as malware at that time. As of the time of this writing, eleven out of seventy-eight security engines have currently flagged the initial sample file as a Trojan7. So far, these types of attacks have installed Cobalt Strike tools on infected endpoints. We anticipate other payloads will be downloaded as other threat actor groups adopt GrimResource to their toolset.