Researchers have noticed a switch to the use of MSC files targeting the Microsoft Management Console and using it to facilitate the initial compromise of victim computers.

The latest technique seen in a campaign called GrimResource involves the packaging up of an exploit for an old cross-site scripting (XSS) vulnerability in an MSC file that leverages the vulnerability in the apds.dll library which could allow an attacker to run JScript code. The issue was initially reported to Adobe and Microsoft back in 2018 but Microsoft decided not to fix it at the time as it “doesn’t meet the bar for immediate servicing in a security update.”

Recently, attackers started to combine the old XSS issue with another existing technique called DotNetToJs to trigger the execution of a .NET payload and are actively using it in attacks against victims, most likely via email or social media with attachments or links to the MSC file for the victim to open.

Successful attacks have led to the installation of the dual-use Cobalt Strike threat testing tool which is also often used by some threat actors for remote access.