MSBuild tool used to deliver RATs filelessly

Hackers abuses Microsoft Build Engine (MSBuild) to filelessly deliver malware on targeted Windows systems, including RAT and password-stealer.

Researchers from Anomali observed threat actors abusing Microsoft Build Engine (MSBuild) to filelessly deliver remote access trojans and RedLine Stealer password-stealing malware on targeted Windows systems.

“Anomali Threat Research discovered a campaign in which threat actors used MSBuild – a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.” reads a report published by Anomali.

The campaign has begun in April 2021 and is still ongoing, experts pointed out that it has low or zero detections.

MSBuild is a free and open-source build tool set for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.

The MSBuild files employed in the attacks spotted by the experts contained encoded executables and shellcode, some of which were hosted on Russian image-hosting site (joxi[.]net). At the time of this writing, the way the .proj files were distributed has yet to be discovered, anyway the files were used by attackers to execute Remcos or RedLine Stealer.

The use of MSBuild allows the attackers to avoid detection while loading the malicious code into memory.

Most of the samples analyzed by Anomali were used to deliver the Remcos RAT, while others were also delivering the Quasar RAT and RedLine Stealer.

Remcos is a commercial software that can be used for remote control, remote admin, remote anti-theft, remote support and pentesting. The Quasar RAT is available for free on GitHub, many other attackers used it in their campaigns, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats.

“The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations,” concludes Anomali. “This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MSBuild)

[adrotate banner=”5″]

[adrotate banner=”13″]