Threat actors are abusing MSBuild to implant Cobalt Strike Beacons

Pierluigi Paganini December 28, 2021

Experts warn of malicious campaigns abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised systems.

Security expert from Morphus Labs recently observed several malicious campaigns abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines.

MSBuild is a free and open-source build toolset for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema that controls how the build platform processes and builds software to deliver malware using callbacks.

Morphus Labs security researcher and SANS Internet Storm Center (ISC) handler Renato Marinho revealed to have uncovered two different malicious campaigns that were abusing MSBuild for code execution.

The malicious MSBuild project employed in the attacks was designed to compile and execute specific C# code that in turn decodes and executes Cobalt Strike payload.

“Now, let’s look at the malicious MSBuild project file in Figure 3. Using the same principle, when called by MSBuild, it will compile and execute the custom C#, decode and execute the Cobalt Strike beacon on the victim’s machine.” wrote Marinho.

malicious msbuild project

In the attack scenario described by the researcher, the attackers initially gained access to the target environment using a valid remote desktop protocol (RDP) account, then leveraged remote Windows Services (SCM) for lateral movement, and MSBuild to execute the Cobalt Strike Beacon payload.

The Beacon was used to decrypt the communication with the C2 server, which was SSL encrypted.

“One way to decrypt the SSL traffic is to use a man-in-the-middle approach. To this end, I used the project mitmproxy. The communication schema when using a tool like this is to make the client, the Cobalt Strike beacon, talk to the SSL proxy and make the SSL proxy to talk with the C2 server. In the middle (proxy), we will have the traffic unencrypted.” added the expert.

In order to analyze the code executed by the malicious MSBuild project, the expert decrypted the variable ‘buff’ that will store the decrypted malicious content. 

The researcher implemented the same decryption function in Python to decrypt the code and analyze it.

The expert pointed out that using the Windows Defender Application Control (WDAC) policy it is possible to neutralize these attacks by blocking malicious applications that could execute malicious payloads.

“MSBuild composes the list of applications signed by Microsoft that can allow the execution of other codes. According to Microsoft’s recommendations [7], these applications should be blocked by the Windows Defender Application Control (WDAC) policy. There is a note for MSBuild.exe, though, that if the system is used in a development context to build managed applications, the recommendation is to allow msbuild.exe in the code integrity policies.” Marinho concluded.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment