Summary:
A sophisticated cyber campaign is currently targeting high-profile organizations in Southeast Asia, employing two advanced and under-the-radar techniques to infiltrate their systems. The first technique, called "GrimResource," leverages a method to execute arbitrary code within the Microsoft Management Console, a key system utility in Windows. This technique exploits a six-year-old cross-site scripting vulnerability in the Windows Authentication Protocol Domain Support library. GrimResource allows attackers to embed malicious JavaScript within MSC files, a file format used to save configurations and settings within MMC. When a victim opens the MSC file, the embedded JavaScript automatically triggers, downloading and running a renamed legitimate Microsoft executable to initiate the infection, eliminating the need for the victim to click on a suspicious link.

The second technique, known as "AppDomainManager Injection," involves the injection of malicious code into .NET applications through manipulated AppDomainManager classes. This approach is easier to execute than traditional DLL side-loading, as it relies on configuring specific environment variables or uploading a custom configuration file that directs the application to load the malicious AppDomainManager class instead of the legitimate one. Once in place, this technique effectively allows the attacker to convert nearly any .NET application into a tool for executing their malicious code, leveraging legitimate processes to evade detection.

Security Officer Comments:
Since July 2024, researchers at NTT have observed an attacker group bearing similarities to the notorious Chinese APT41 using these techniques in tandem to deploy Cobalt Strike, a popular post-exploitation tool, onto IT systems belonging to Taiwanese government agencies, the Philippine military, and energy organizations in Vietnam. The attacks typically begin with spear-phishing emails that contain ZIP files, which appear to hold legitimate documents but actually contain the malicious MSC file, disguised with icons resembling a Windows certificate or PDF.

MSC files have become more popular among advanced threat actors, especially after Microsoft tightened controls on other file types like MSIs, ISOs, and LNK files that were previously exploited for similar attacks. The flexibility of MSC files, combined with older vulnerabilities in MMC, makes them an attractive vector for sophisticated campaigns like this one. AppDomainManager Injection, while not new, has been rarely observed in the wild until now. NTT researchers warn that AppDomainManager Injection could see increased use in future attacks due to its relative ease of execution compared to traditional methods.

Suggested Corrections:
To defend against these techniques, researchers recommend a strong focus on preventive measures, particularly around email hygiene and the implementation of controls that can block the execution of malicious payloads before they can cause damage. Basic steps like blocking ZIP files at the MMC level and ensuring robust email security practices are key to mitigating the risk posed by these advanced threats.

Link(s):
https://www.darkreading.com/applica...h-techniques-to-down-asian-military-govt-orgs