Threat actors deploy remote access tools (RATs) and information-stealing malware by abusing the Microsoft Build Engine (MSBuild) in an ongoing campaign.
MSBuild (msbuild.exe) is an open-source development platform from Microsoft that developers use for building applications.
Anomali’s Threat Research team described how the threat actors used executables and shellcodes encoded in MSBuild project files for injecting the final payloads into the memory of newly spawned processes.
“While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer,” Anomali’s Tara Gould and Gage Mele said.
Last month, the researchers detected the attackers delivered Remcos RAT, Quasar RAT, and RedLine Stealer to their victims’ computers in a campaign that is still ongoing after Anomali published their research on Thursday. The mentioned RATs can harvest keystrokes and credentials, take screen snapshots, disable anti-malware software, and gain persistence that ultimately leads to a full take-over of the devices.
Additionally, once the attackers deployed the RedLine info stealer, it will scan for web browsers, messaging apps, and VPN and cryptocurrency software with the goal of stealing credentials. Besides that, the malware collects and exfiltrates system and cryptocurrency wallet information and cookies from the app data and configuration files on the victim’s device.
At the time of writing, malware is either not detected or detected by a very few anti-malware engines according to VirusTotal. Attackers successfully evade detection because Microsoft’s MSBuild is a legitimate development tool, this enables them to inject payloads directly into the victim’s computer memory. And since the malware does not write actual files on the victims’ devices, being what’s called fileless malware, and leaves no physical traces of the payloads are left on the hard drives, the chances that the attack is spotted is even smaller.
“The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations,” Anomali said.
According to a recent report by WatchGuard, there’s been a spike in the use of the fileless malware delivery method in 2019-2020, a dramatic increase of 888% based on a year of endpoint threat intelligence collected by the company.
