GrimResource Technique Exploits Years-Old Unpatched Windows XSS Flaw

New GrimResource technique exploits a 2018-old, unpatched, Windows XSS flaw and crafted MSC files to deploy malware via the Microsoft Management Console.
Researchers detected the new exploitation technique in the wild on June 6th, 2024.
Exploiting the Microsoft Management Console could enable hackers to evade security measures and gain initial access.
Although researchers reported finding the vulnerability in October 2018, the flaw still affects the latest Windows 11 version and didn't receive a patch.
The GrimResource code execution technique explained.
The first step in this complex process is the hackers tricking their target to click on a forged MSC file.
Reportedly, researchers observed how the attackers contact their victim on Facebook and have them downloading a Word document.
The document is actually an MSC file that mimics a Word document.
The hackers forged the file's icon so that it looks like a Word, not an MSC document.
By using it along with crafted MSC files, hackers can execute arbitrary JavaScript in the context of mmc.
Further on, they use DotNetToJScript to execute a.NET loader dubbed PASTALOADER. The loader retrieves the payload from environment variables and injects it into a new dllhost.
One of the final payloads the researchers observed was Cobalt Strike.
Threat detection helps keeping safe your environment, but preventing the threat works better.
Just like many other attacks, the GrimResource also relies on online malicious communication.
Using a DNS filtering tool helps spot and block harmful connections before the hackers get to enter your system.
Heimdal's predictive DNS has a 96% accuracy rate in detecting malicious domains even if they weren't yet listed as such.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you'll actually want to read directly in your inbox.
Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity.

This Cyber News was published on heimdalsecurity.com. Publication date: Wed, 26 Jun 2024 19:13:05 +0000

Cyber News related to GrimResource Technique Exploits Years-Old Unpatched Windows XSS Flaw

GrimResource Technique Exploits Years-Old Unpatched Windows XSS Flaw - New GrimResource technique exploits a 2018-old, unpatched, Windows XSS flaw and crafted MSC files to deploy malware via the Microsoft Management Console. Researchers detected the new exploitation technique in the wild on June 6th, 2024. Exploiting ...
7 months ago Heimdalsecurity.com

Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com

Juniper Networks fixed a critical authentication bypass flaw in some of its routers - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 ...
7 months ago Securityaffairs.com

Purple teaming and the role of threat categorization - Red team assessment, penetration testing, and even purple team assessments are all designed to answer these questions. As attacks get more complex, these assessments struggle to provide comprehensive answers. These assessment services typically test ...
1 year ago Helpnetsecurity.com

An Argument for Coordinated Disclosure of New Exploits - There were more than 23,000 vulnerabilities discovered and disclosed. While not all of them had associated exploits, it has become more and more common for there to be a proverbial race to the bottom to see who can be the first to release an exploit ...
8 months ago Darkreading.com

Raspberry Robin malware evolves with early access to Windows exploits - Recent versions of the Raspberry Robin malware are stealthier and implement one-day exploits that are deployed only on systems that are susceptible to them. One-day exploits refer to code that leverages a vulnerability that the developer of the ...
11 months ago Bleepingcomputer.com

High-severity flaw affects Cisco Firepower Management Center - CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Hackers ...
8 months ago Securityaffairs.com

Hackers abuse Windows SmartScreen flaw to drop DarkGate malware - A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers. SmartScreen is a Windows security feature that ...
10 months ago Bleepingcomputer.com

Hackers exploit Windows SmartScreen flaw to drop DarkGate malware - A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers. SmartScreen is a Windows security feature that ...
10 months ago Bleepingcomputer.com

Raspberry Robin devs are buying exploits for faster attacks The Register - Researchers suspect the criminals behind the Raspberry Robin malware are now buying exploits for speedier cyberattacks. An exploit developer is thought by infosec pros to be either on the Raspberry Robin payroll or a close contact that sells them to ...
11 months ago Go.theregister.com

Critical Apache Log4j2 flaw still threatens global finance - Critical Apache Log4j2 flaw still threatens global finance. CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise ...
8 months ago Securityaffairs.com

Critical unauthenticated RCE flaw in OpenSSH server - MUST READ. Critical unauthenticated remote code execution flaw in OpenSSH server. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities ...
7 months ago Securityaffairs.com

Fake AV websites used to distribute info-stealer malware - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Threat actors actively ...
8 months ago Securityaffairs.com

10 of the biggest zero-day attacks of 2023 - Here are 10 of the biggest zero-day attacks of 2023 in chronological order. Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. ...
1 year ago Techtarget.com

Fake AV websites used to distribute info-stealer malware - CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 ...
8 months ago Securityaffairs.com

45k Jenkins servers exposed to RCE attacks using public exploits - Researchers found roughly 45,000 Jenkins instances exposed online that are vulnerable to CVE-2023-23897, a critical remote code execution flaw for which multiple public proof-of-concept exploits are in circulation. Jenkins is a leading open-source ...
1 year ago Bleepingcomputer.com

Years-Old, Unpatched GWT Vuln Leaves Apps Open to Server-Side RCE - More than eight years after it first came to light, an unauthenticated Java deserialization vulnerability lurking in the Google Web Toolkit open source application framework remains unpatched, and could require fundamental framework fixes to ...
1 year ago Darkreading.com

Microsoft extends Windows Server 2012 ESUs to October 2026 - Microsoft provides three more years of Windows Server 2012 Extended Security Updates until October 2026, giving administrators more time to upgrade or migrate to Azure. The company also prolonged the end date for Windows Server 2012 and extended ...
1 year ago Bleepingcomputer.com

Attackers Can Bypass Windows Security Using New DLL Hijacking - Threat actors using the DLL Hijacking technique for persistence have been the order of the day and have been utilized in several attacks. This attack method allows bypassing the privilege requirement for executing certain malicious codes on the ...
1 year ago Cybersecuritynews.com

Windows 11 24H2 now rolling out, here are the new features - Version 24H2 is now also accessible via Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Microsoft 365 admin center. Microsoft suggests that businesses start targeted rollouts to ensure ...
4 months ago Bleepingcomputer.com

Microsoft issues two-year warning for end of Windows 10 The Register - Microsoft on Tuesday warned that full security support for Windows 10 will end on October 14, 2025, but offered a lifeline for customers unable or unwilling to upgrade two years hence. Extended Security Updates will keep Windows 10 systems ...
1 year ago Go.theregister.com

Privilege elevation exploits used in over 50% of insider attacks - Elevation of privilege flaws are the most common vulnerability leveraged by corporate insiders when conducting unauthorized activities on networks, whether for malicious purposes or by downloading risky tools in a dangerous manner. A report by ...
1 year ago Bleepingcomputer.com

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections - Security researchers have outlined a fresh variant of a dynamic link library search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and ...
1 year ago Cysecurity.news

Microsoft No Longer Selling Windows 10 Licenses Redirects to Windows 11 Product Pages - Marking an end to an era, Microsoft is no longer directly selling Windows 10 product keys on their website, instead redirecting users to Windows 11 product pages. This month, Microsoft began displaying an alert on their Windows 10 Home and Pro ...
2 years ago Bleepingcomputer.com

Latest Cyber News

CVE-2025-24982 - 11 hours ago
CVE-2025-22475 - 13 hours ago
CVE-2025-1003 - 16 hours ago
CVE-2025-0148 - 17 hours ago
CVE-2025-24957 - 18 hours ago
CVE-2025-24958 - 18 hours ago
CVE-2025-22129 - 18 hours ago
CVE-2025-23210 - 18 hours ago
CVE-2025-24029 - 18 hours ago
CVE-2025-24371 - 18 hours ago
CVE-2025-24901 - 18 hours ago
CVE-2025-24902 - 18 hours ago
CVE-2025-24905 - 18 hours ago
CVE-2025-24906 - 18 hours ago
CVE-2024-35177 - 18 hours ago
CVE-2024-47770 - 18 hours ago
CVE-2025-24960 - 19 hours ago
CVE-2025-24961 - 19 hours ago
CVE-2025-24962 - 19 hours ago
CVE-2025-22918 - 19 hours ago

Cyber Trends (last 7 days)

Okta - 1 year ago
23andMe - 1 year ago
Kimsuky - 1 year ago
LogoFAIL - 1 year ago
Gh0st rat - 1 year ago

Trending Cyber News (last 7 days)

CVE-2024-20141 - 1 day ago
CVE-2024-20142 - 1 day ago
CVE-2024-20147 - 1 day ago
CVE-2025-20631 - 1 day ago
CVE-2025-20632 - 1 day ago
CVE-2025-20633 - 1 day ago
CVE-2025-20634 - 1 day ago
CVE-2025-20635 - 1 day ago
CVE-2025-20636 - 1 day ago
CVE-2025-20637 - 1 day ago
CVE-2025-20638 - 1 day ago
CVE-2025-20639 - 1 day ago
CVE-2025-20640 - 1 day ago
CVE-2025-20641 - 1 day ago
CVE-2025-20642 - 1 day ago
CVE-2025-20643 - 1 day ago
CVE-2025-25062 - 1 day ago
CVE-2025-25063 - 1 day ago
CVE-2024-57966 - 1 day ago
CVE-2024-13347 - 1 day ago