A New MSBuild Fileless Malware Campaign in Which Threat Actors Used MSBuild to Deliver Rats

Another serious malware distribution campaign has been launched on the internet targeting the Windows system. The most disturbing fact is most antivirus engines failed to detect the malware. MSBuild Fileless Malware Campaign was launched last month in which Threat Actors used Microsoft’s MSBuild tool as a stealth weapon to deliver Remote Access Trojans and password-stealing malware known as RedLine stealer.

Table of Contents

. How Is This MSBuild Fileless Malware Campaign Designed to Deliver the Malware?

. Why Threat Actors Used MSBuild to Carry Out the MSBuild Fileless Malware Campaign?

. What Is Fileless Malware? And, Why Is It Important to Know About It?

. Characteristics of Fileless Malware:

. RemcosRAT

. Remcos RAT Review — The Most Advanced Remote Access Tool

. RedLine Stealer

. How to Prevent The MSBuild Fileless Malware Campaign?

. MSBuild Malware IOCs:

. VirusTotal Detection Score:

How Is This MSBuild Fileless Malware Campaign Designed to Deliver the Malware?

Threat actors have abused Microsoft’s?MSBuild?(A tool used for building apps) to deliver the malware filelessly. Primarily three malware were seen in the campaign: RemcosRAT, Quasar, and RedLine stealer in the campaign.

RemcosRAT?(aka Remote Control and Surveillance software) grants full access to the remote attacker, its features ranging from capturing keystrokes and recording microphones and webcams to executing arbitrary commands.?Quasar?is an open-source .NET-based RAT that can be capable of keylogging and password-stealing with many other capabilities.?RedLine stealer?is a malware program that can harvest credentials from browsers, VPNs, and messaging clients.

It has been seen that threat actors have weaponized the MSBuild.proj file by embedding encoded executables and shellcode in it. At this point in time, we still don’t know how the malware is getting distributed. However, we have found that the malware was hosted on a Russian image hosting site joxi[.]net. Visit?here?to learn more about it.

Why Threat Actors Used MSBuild to Carry Out the MSBuild Fileless Malware Campaign?

If you don’t know about MSBuild, it is a development tool mostly used for building applications for the Windows platform. Specifically when Visual Studio is not present in the system. MSBuild uses XML projects which store the complete details required to compel the whole project. There is a “UsingTask” element in the configuration file, which defines the task that will be compiled by the MSBuild tool. In addition to the “UsingTask” element, MSBuild has an inline task feature that enables the code to be compiled by MSBuild and executed in memory. This feature to execute the code in memory has created an excellent opportunity for threat actors to use MSBuild in this MSBuild fileless malware campaign.

What Is Fileless Malware? And, Why Is It Important to Know About It?

Fileless malware is a type of malware that uses a legitimate program to load the malware into memory. Unlike traditional malware, fileless malware does not require the attacker to drop a code on a target’s system for execution. This technique has made it hard to detect. In experimental conditions, most antivirus engines either failed to detect the fileless malware or flag low severity detection.

Characteristics of Fileless Malware:

• Abuse legitimate applications that are already on the targeted system
• No identifiable code or signature that traditional AV solutions could detect
• No particular behavior that heuristics scanners could identify
• Memory-based: lives in system memory
• It uses built-in processes that are in the operating system.
• It can be embedded with other types of malware.
• May reside in the environment despite sandboxing measures.

RemcosRAT

Remcos RAT Review — The Most Advanced Remote Access Tool

We thank Breaking Security for creating such excellent video content on Remcos RAT

Remcos?is a commercial software created by Breaking Security. It has both community and as well as a?free edition. The application has been created to support remote administrators to perform remote control, remote admin, remote anti-theft, remote support, and pen-testing. However, Remcos has often been used by threat actors for malicious purposes. The software is written in C++ and enables full access to the remote machine. Some of its features include:

RedLine Stealer

As the name says, RedLine Stealer is an open-source password-harvesting tool. It is written in .NET and has been observed stealing credentials, including:

How to Prevent the MSBuild Fileless Malware Campaign?

The main strength of fileless malware is its stealthy nature. This malware is tough to detect. Legacy AV, sandboxing, and machine learning methods will fail to detect fileless malware attacks. Security engineers can’t merely ignore stating these are difficult to detect. We will list some techniques that could work as a game-changer in preventing fileless malware.

1. Search for IOAs (Indicator of Attack): IOAs include signs such as code execution, lateral movements, and behavioral actions. IOAs don’t tell how the attack is being carried out. Instead, it talks about the signs of in-progress attacks.
2. Keep the systems up to date: Never miss applying the new upgrades or patches.
3. Remove unwanted services: Disable unwanted ports, enforce to use of only secure network protocols, and remove unused applications from the system.
4. Fix latest vulnerabilities: Run the periodic VA scan and fix all vulnerabilities, incredibly remote execution vulnerabilities.
5. Harden the system: Close all the configuration gaps and make the system more secure.
6. Defense-in-Depth strategy: Don’t trust a single product. Deploy multiple layers of defense and use multiple different products for the defense.
7. Cybersecurity training & awareness: Host training programs and create awareness about the vectors of cybersecurity.

MSBuild Malware IOCs:

VirusTotal Detection Score:

vwnfmo.lnk

If you find this article interesting. Visit our site to read more:

This post is originally published at?thesecmaster.com.

We thank everybody who has been supporting our work and request you check out?thesecmaster.com?for more such articles.