338 total views
Threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools (RATs) and information-stealing malware gratuitously.
MSBuild (msbuild.exe) is a legal and open source Microsoft development platform, similar to the Unix generator utility, for building applications.
According to Anomali’s Threat Agents Research team, the malicious MSBuild project files distributed during this campaign include shellcode-encrypted and encrypted executables that threat actors use to deliver malicious attacks. the final payload into memory of newly created processes.
“Although we were unable to determine the delivery method of the .proj files, the target of these files is to execute Remcos or RedLine Stealer,” said Anomali intelligence analysts Tara Gould and Gage Mele. .
Last month, attackers began pushing Remcos RAT, Quasar RAT, and RedLine Stealer payloads to victims’ computers. As of May 11, these payloads are still active.
Once the RATs are installed on a targeted system, they collect information, screenshots and disable anti-malware, increase persistence, and take over the devices completely. be remote.
On computers where attackers have deployed a credential stealer, the malware scans web browsers, messaging apps, VPNs, and cryptocurrency software to steal user credentials. use.
RedLine can also collect and filter system information, cookies, and cryptocurrency wallet information from configuration files and application data stored on the victim’s device.
Using Microsoft’s legitimate MSBuild development tool allows attackers to avoid detection while loading malicious payloads directly into the memory of the targeted computer.
According to VirusTotal, the malware samples used in this campaign were not detected by a very low number of anti-malware engines.
Fireless malware further reduces attack detection because no actual files appear on the victim’s device, no physical traces of the payload remaining on the infected device’s hard drive.
According to a WatchGuard Internet security report published at the end of March, distribution of fireless malware increased dramatically between 2019 and 2020, surging 888% based on collected endpoint threat intelligence data. collected by WatchGuard Panda products in one year.
“The threat actors behind this campaign used fileless distribution as a way to bypass security measures, and this technique is used by the actors for a variety of goals and motives,” said Anomali. conclude.
This campaign emphasizes that relying on anti-virus software alone is not enough to protect the network and that the use of legitimate code to hide malware from anti-virus technology is effective and growing exponentially. multiplier.
#Microsoft #Build #Tools #Hacked