Taiwanese government agencies, Vietnamese energy entities, and the Philippine military have been subjected to new intrusions deploying Cobalt Strike beacons through the AppDomain Manager Injection technique akin to DLL side-loading since last month, reports BleepingComputer.
Attackers distributed a ZIP file with a malicious Microsoft Script Component file, which when opened facilitated code execution via the GrimSource attack technique involving the utilization of an apds.dll cross-site scripting flaw to enable malicious JavaScript execution, according to an NTT report. Such an MSC file also allowed the creation of a configuration file that redirects to a DLL with a class also found on the AppDomain Manager class of the .NET Framework, which then executes code to evade security defenses and ultimately allow Cobalt Strike beacon injection for additional malicious activity, said NTT researchers. Threat actors' concurrent utilization of the AppDomain Manager Injection and GrimSource attack methods suggest their technical sophistication, researchers added.
