AppDomainManager Injection abuse is used to execute malware via .NET Framework by hijacking how apps load DLLs, often through a malicious MSC file delivered in ZIP archives. The campaign leverages GrimResource to trigger malicious behavior simply when the MSC file is opened, and attackers have used Cobalt Strike beacons in the compromised environments. #AppDomainManagerInjection #GrimResource #CobaltStrike #APT41 #MSCFile
Keypoints
- AppDomainManager Injection was publicly discussed in 2017 and is being opportunistically reused in modern attacks.
- Recent activity (since July 2024) is suspected to involve state-sponsored threat actors.
- Attackers distribute ZIP archives containing malicious MSC files; the user’s action of opening the MSC triggers the attack.
- GrimResource is employed to bypass typical steps, enabling malicious behavior simply by opening the MSC file.
- Malicious MSC files abuse apds.dll and embedded JavaScript/VBScript to download and run additional components, including a renamed Microsoft binary (oncesvc.exe).
- Final payloads involve Cobalt Strike beacons to compromise target networks, with attribution suggesting APT41-like techniques.
- The technique potentially affects a wide range of .NET applications and poses detection challenges, underscoring the need for targeted mitigations.
MITRE Techniques
- [T1574.014] Hijack Execution Flow: AppDomainManager – External DLLs are loaded into a legitimate EXE and InitializeNewDomain() is invoked to execute malicious behavior. ‘An external DLL file is loaded into a legitimate EXE, and the attacker can execute malicious behavior from InitializeNewDomain().’
- [T1566.001] Phishing – Spearphishing Attachment – Attacks include spearphishing emails with ZIP attachments delivering malicious MSCs. ‘Spearphishing emails with ZIP attachments.’
- [T1105] Ingress Tool Transfer – The attacker downloads and saves multiple files from a remote source and then executes a component (oncesvc.exe). ‘downloads and saves four files and executes oncesvc.exe.’
- [T1059.005] Command and Scripting Interpreter: VBScript – Embedded VBScript is executed to drive malicious actions. ‘VBScript code is executed.’
- [T1204.002] User Execution: Malicious File – Users must open the MSC file to trigger malicious behavior (GrimResource enables execution upon file open). ‘the user opens the MSC file to trigger malicious behavior.’
Indicators of Compromise
- [Domain] Context – krislab.site, msn-microsoft.org, and 7 more domains (total 9 domains listed in IoC)
Read more: https://jp.security.ntt/tech_blog/appdomainmanager-injection