Hackers exploit Microsoft Build Engine to deliver malware filelessly on targeted Windows systems.
Researchers from Anomali, a cybersecurity firm discovered the ongoing active campaign. The malicious build files were embedded with executables and shellcode to deploy backdoors. This allowed the hackers to take control of the victim’s machines and steal sensitive information.
Microsoft Build Engine is an open-source build tool for .NET and Visual Studio developed by Microsoft. It allows users to compile source code, packaging, testing, deploying applications.
The malware uses a legitimate application to load the attack code into the memory. The idea behind using MSBuild to filesslely compromise a machine is to remain under the radar and go undetected. In the process leave behind no traces of infection on the system and maintain a level of stealth.
According to the researchers at Anomali, many of the samples analyzed included the Remcos RAT, with a few others also delivering the Quasar RAT and RedLine Stealer. As of now, only two security vendors flag one of the MSBuild .proj files (“vwnfmo.lnk“) as malicious. The other sample (“72214c84e2.proj“) uploaded to VirusTotal on April 18 remains undetected by every anti-malware engine.
Bad actors are able to gain full access to the remote adversary once Remcos(Remote Control and Surveillance software) is installed. It also is capable of capturing keystrokes to execute arbitrary commands and recording microphones and webcam.
Quasar on the other hand is an open-source .NET-based RAT capable of keylogging, password stealing, among others. Redline Stealer, is a commodity malware that captures credentials from browsers, VPNs, and messaging clients, in addition to stealing passwords and wallets associated with cryptocurrency apps.
Anomali researchers Tara Gould and Gage Mele said, “The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations. This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially.”