Hackers Use Rare Stealth Techniques to Down Asian Military, Gov't Orgs

An ongoing campaign is using two largely unheralded stealth techniques to infect high-level organizations in southeast Asia.

The first, "GrimResource," is a new technique that allows attackers to execute arbitrary code in the Microsoft Management Console (MMC).

The second trick, "AppDomainManager Injection," uses malicious dynamic link libraries (DLLs), but in a way that's easier than traditional sideloading. It's been around for seven years, used by threat actors from Iran, China, the broader open source community, pen testers, and others. Still, it's rarely seen in malicious campaigns in the wild.

Since July, say NTT researchers in a new blog post, an attacker with similarities to China's APT41 has been using these techniques in combination to drop Cobalt Strike onto IT systems belonging to Taiwanese government agencies, the Philippine military, and energy organizations in Vietnam.

How GrimResource Works

Attacks as part of this campaign begin with a ZIP file, contained in a phishing email or malicious website.

The ZIP contains a file with a Windows certificate or PDF icon. In fact, it is a management saved console (MSC) file, a type of file used to save configurations and settings within the MMC.

MSCs have been growing in popularity lately among threat actors. As Jake King, head of threat and security intelligence at Elastic explains, it began when Microsoft released a number of changes to default controls that were available to execute payloads from emails. "We started to see low-hanging fruit exploitations using MSIs, ISOs, and LNK files. But more advanced groups started to take advantage of MSC as that initial vector," he says.

"It's a pretty interesting, capable file format, [and] it had drawn less attention than many of the more common file formats that were commonly being abused," he adds, noting, "MMC has a number of persistence mechanisms you can kind of take advantage of — some old vulnerabilities."

One technique for exploiting just such a vulnerability is GrimResource, first discovered by Elastic in July. GrimResource takes advantage of a six-year-old cross site scripting (XSS) issue in Windows' Authentication Protocol Domain Support (APDS) library to enable arbitrary code execution in MMC. In this campaign, the attackers use it to eliminate a step in the infection process: Rather than having a victim click a malicious link in the MSC file, simply opening the MSC file will trigger embedded Javascript.

The malicious Javascript then downloads and runs a legitimate, signed Microsoft executable — "dfsvc.exe" — renamed to "oncesvc.exe." But if the file is perfectly honest, how can it be used to download malware?

Activating AppDomainManager Injection

All applications built with Microsoft's .NET framework run one or multiple application domains, created and managed by the "AppDomainManager" class. In AppDomainManager injection, an attacker creates an AppDomainManager class with malicious code, then dupes a targeted application into loading it instead of the legitimate one. This can be done by configuring three particular environment variables (APPDOMAIN_MANAGER_ASM, APPDOMAIN_MANAGER_TYPE, and COMPLUS_VERSION) or, as is the case in this campaign, uploading a custom configuration file that simply directs the app to run their malicious AppDomainManager.

"You're effectively telling the Common Language Runtime (CLR) — the piece of the Windows operating system that tells the operating system how to load and handle .NET applications — to include a malicious DLL anytime you run a .NET process," explains Nicholas Spagnola, lead security consultant for penetration testing at Rapid7. "It effectively allows you to turn almost any .NET application into a living-off-the-land binary," or lolbin.

"Currently, DLL side-loading is the most common method of executing malware," the NTT researchers wrote, "but AppDomainManager Injection is much easier than DLL side-loading, and there are concerns that exploitation may increase in the future."

Because it can be so difficult to spot these kinds of malicious injections, King recommends an approach to defense that blocks such attacks before they can get rolling.

"The biggest thing that you're looking at here is being able to prevent the execution of the payloads in the first place," he says. In the case of this latest campaign, for example, "These are spear phishing attacks bringing in ZIP files. There are rudimentary controls that you can put in place at the MMC level, but [prevention] really just boils down to great practices around email hygiene."