In June 2024, cybersecurity companies worldwide became aware of a new threat known as GrimResource.
The Qi'anxin Threat Intelligence Center and Falcon Operations Team promptly initiated an investigation into this matter.
In mid-July 2024, it was discovered that GrimResource had successfully targeted government and business computers in China.
These attacks were executed by cybercriminals who posed as the Chrome browser download site in order to deceive individuals into downloading their malicious software.
The GrimResource malware operates by exploiting a specific vulnerability known as XSS in select computer files.
The program utilizes a technique called DotNetToJScript to execute concealed code, enabling it to bypass security alerts and operate without the need for file installations.
This can be quite challenging to detect and put a stop to. According to experts, it is predicted that attackers will increasingly utilize this method in the future. They will send deceptive emails that appear harmless but are actually malicious.
How the Attack Works
The GrimResource attack can be easily explained. First, the attacker conceals their malicious code within a specific file format known as MSC.
They intentionally make the code difficult to read. Upon analysis by experts, it was discovered that the attacker employed a unique encryption method sourced from jsjiami.com.v7. This code retrieves a complex code from a designated website.
Next, the updated code loads a program called TestAssembly.dll, which is encrypted. This program is specifically designed to download a variety of tools, such as Bandzip, Python components, a zip file (code.zip), and an application called autokey.
The attacker configures a task to execute autokey's white process (wd.exe), which subsequently launches another script (wd.ahk) located in the same directory.
The wd.ahk script uses Bandzip to effortlessly unzip the code.zip file, using the password “403team.” Once unzipped, the Python script (code.py) is executed.
This Python script functions as a downloader, retrieving additional malicious code from a remote server and injecting it into the computer's memory.
This malicious code, known as codemark downloader, establishes a connection to a control server in order to retrieve the encrypted payload.
After decoding, the final payload, referred to as codemark Rat, becomes active. This software has the ability to execute commands and control the infected computer from a remote location.
This program is capable of running a remote PowerShell script and utilizing a commercial remote control tool known as winos.
Qi'anxin continues to watch this threat closely and advises everyone to be careful with email links and downloads. In order to avoid these kind of attacks, always use official websites when downloading software.