Overview
QiAnXin Threat Intelligence Center and Falcon Operations Team observed in their daily operations that in June 2024, several foreign counterparts reported in-the-wild attacks related to the new attack technique GrimResource [1]. We promptly conducted research on this technique and have been continuously monitoring it. In mid-July 2024, we discovered the first attack incident in government and enterprise terminals, and we classified the nature of the attack as black industry. Through SEO, fake Chrome browser download sites were created:
The GrimResource technique exploits the XSS vulnerability in mmc system files to execute JS code and uses DotNetToJScript to load arbitrary .NET programs into memory. This not only bypasses ActiveX control warnings but also enables fileless payload execution. It is foreseeable that in the future, MSC-style spear-phishing emails will replace lnk and office macro documents as the most commonly used phishing baits by attackers. Government and enterprise customers are advised not to download software installation packages from unofficial websites. We will disclose the attack chain of MSC baits in detail to facilitate customer self-examination.
Technical Details
The attacker designed a very complex execution chain:
In the original MSC file, the attacker obfuscated the JS code.
After deobfuscation, it was found that the attacker used the jsjiami.com.v7 encryption library at the lowest level.
The final request was to download the second stage of heavily obfuscated JS code from 154.91.65.103/0day.js. The deobfuscated content primarily loads 154.91.65.103/0day.xsl, with the content as follows:
Deserialization Executes Base64 Encrypted .NET Downloader,The DLL is named TestAssembly.dll and comes with a PDB:
The main function is to download components such as Bandzip, Python, code.zip, and Autokey.
A scheduled task is created for the white process wd.exe of the Autokey component. Upon startup, it loads the wd.ahk script in the same directory.
The main function of the AHK script is to use the Bandzip component to decompress code.zip with the password 403team.
It then calls the Python environment component to start code.py with the following content:
The function of the Python script is also to act as a downloader. It downloads shellcode from a remote server (http://comc0m.com/huiyuan/154.91.65.103.bin) and loads it into memory. We have named this shellcode codemark downloader. It requests an encrypted payload from the C2 server at port 1688 of 154.91.65.103.
After decrypting the payload, it results in the final codemark Rat, with the exported functions as follows:
This Trojan horse has previously been disclosed by peers [2], with the callback domain being yk.ggdy.com.
In addition, TestAssembly.dll also initiates a PowerShell command to execute a remote PS script (154.91.65.103/ps1.txt), ultimately loading a commercial remote control tool, Winos.
Summary
Currently, all products based on QiAnXin Threat Intelligence Center's threat intelligence data, including QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, have precise detection capabilities for such attacks.
IOC
MD5:
5fec1fcbf0f18242ce916d3804609247
2efe2018512d2d5b992f3f4f97700159
876eec74a94445853d0a636c7490de88
bdb0d1b2ce0bd70886ee8c38041df760
62ba097fe395aad042780d7e050189d6
1a226a738f2ed795a4f9bd5b99b60061
C2:
154.91.65.103:1688
154.91.65.103:80
hxxp://comc0m.com/huiyuan/154.91.65.103.bin
154.91.65.103:80
Reference Links
[1]. https://www.bleepingcomputer.com/news/security/new-grimresource-attack-uses-msc-files-and-windows-xss-flaw-to-breach-networks/
[2]. https://www.bilibili.com/read/cv25135288/