• Home
  • |
  • Blog
  • |
  • A New MSBuild Fileless Malware Campaign In Which Threat Actors Used MSBuild To Deliver RATs
A New MSBuild Fileless Malware Campaign

Another serious malware distribution campaign has been launched on the internet targeting the Windows system. The most disturbing fact is most of the antivirus engines were failed to detect the malware. MSBuild Fileless Malware Campaign has been launched last month in which Threat Actors used Microsoft’s MSBuild tool as a stealth weapon to deliver Remote Access Trojans and password-stealing malware known as RedLine stealer.

How Is This MSBuild Fileless Malware Campaign Designed To Deliver The Malware?

Threat actors have abused Microsoft’s MSBuild (A tool used for building apps) to deliver the malware filelessly. Primarily three malware were seen in the campaign: RemcosRAT, Quasar, and RedLine stealer in the campaign.

RemcosRAT (aka Remote Control and Surveillance software) grants full access to the remote attacker, its features ranging from capturing keystrokes, recording microphones and webcams to executing arbitrary commands. Quasar is an open-source .NET-based RAT that can be capable of keylogging and password-stealing with many other capabilities. RedLine stealer is a malware program that can harvests credentials from browsers, VPNs, and messaging clients.

It has been seen that threat actors have weaponized the MSBuild.proj file by embedding encoded executables and shellcode in it. At this point in time, we still don’t know how the malware is getting distributed. However, we have found that the malware was hosted on a Russian image hosting site joxi[.]net. Visit here to know more about it.

Why Threat Actors Used MSBuild To Carry Out The MSBuild Fileless Malware Campaign?

If you don’t know about MSBuild, it is a development tool mostly used for building applications for the Windows platform. Specifically when Visual Studio is not present in the system. MSBuild uses XML projects which stores the complete details required to compel the whole projects. There is a “UsingTask” element in the configuration file, which defines the task that will be compiled by the MSBuild tool. IN addition to the “UsingTask” element, MSBuild has an inline task feature that enables the code to be compiled by MSBuild and executed in memory. This feature to execute the code in memory has created an excellent opportunity for threat actors to use MSBuild in this MSBuild fileless malware campaign.

What Is Fileless Malware? And, Why Is It Important To Know About It?

Fileless malware is a type of malware that uses a legitimate program to load the malware into memory. Unlike traditional malware, fileless malware does not require the attacker to drop a code on a target’s system for execution. This technique has made it hard to detect. In practical conditions, most of the antivirus engines either failed to detect the fileless malware or flag low severity detection. 

Characteristics Of Fileless Malware:

  • Abuse legitimate applications that are already on the targeted system
  • No identifiable code or signature that traditional AV solutions could detect
  • No particular behavior that could be identified by heuristics scanners
  • Memory-based: lives in system memory
  • Uses built-in processes that are in the operating system
  • It can be embedded with other types of malware
  • May reside in the environment despite sandboxing measures.

RemcosRAT

Remcos RAT Review – The Most Advanced Remote Access Tool

We thanks for Breaking Security for creating such awesome video content on Remcos RAT

Remcos is a commercial software created by Breaking Security. It has both community and as well as free edition. The application has been created to support remote administrators to perform remote control, remote admin, remote anti-theft, remote support, and pen-testing. However, Remcos has often been used by threat actors for malicious purposes. The software is written in C++ and enables full access to the remote machine. Some of its features include:

Remote ScriptingNotifications
Webcam CaptureRemote Command Line
Clear LoginsRemote Chat
File ManagerRemote Input
Microphone CaptureSOCKS Proxy
KeyloggerLogin Cleaner
Screen LoggerLocal Utilities
Browser HistoryRegistry Editor
Password RecoveryVisibility mode

RedLine Stealer

As the name says, RedLine Stealer is an open-source tool used for password harvesting. It is written in .NET and has been observed stealing credentials including:

ChromeGameLauncher for Steam
FilezillaGuarda
GeckoJaxx
ArmoryMetamask
AtomicMonero
CoinomOpenVPN
DesktopMessenger for TelegramNordVPN
DiscordProtonVPN
ElectrumTronlink
EthereumYoroi

How To Prevent The MSBuild Fileless Malware Campaign?

The main strength of fileless malware is its stealth nature. This malware is very hard to detect. Legacy AV, sandboxing, and even machine learning methods will fail to detect fileless malware attacks. Security engineers can’t merely ignore stating these are difficult to detect. We will list down some of the techniques which could work as game-changer in preventing fileless malware.

  1. Search for IOAs (Indicator of Attack): IOAs include signs such as code execution, lateral movements, and behavioral actions. IOAs doesn’t tell how the attack is being carried out. Instead, it talks about the signs of in-progress attacks.
  2. Keep the systems up to date: Never miss applying the new upgrades or patches.
  3. Remove unwanted services: Disable unwanted ports, enforce to use only secure network protocols, remove unused applications from the system.
  4. Fix latest vulnerabilities: Run the periodic VA scan and fix all vulnerabilities, especially remote execution vulnerabilities.
  5. Harden the system: Close all the configuration gaps and make the system more secure.
  6. Defense-in-Depth strategy: Don’t trust a single product. Deploy multiple layers of defense and use multiple different products for the defense.
  7. Cybersecurity training & awareness: Host training programs and create awareness about the vectors of cybersecurity.

MSBuild Malware IOCs:

Project FilePayloadC2Details
45c94900f312b2002c9c445bd8a59ae6Remcos 04fc0ca4062dd014d64dcb2fe8dbc966135.181.170.169:50845 
d8a57534382a07cc0487b96350bca761Remcos eb8b1d64429e00f2b3b49f886ee3b0b4 http://dl4.joxi.net/drive/2021/04/15/0048/3592/3153416/16/b8c104ce64.png
d52d6bad3d11e9a72998608ccca572f5Remcos 41c0bb6e89ad89af8eef7bec40d4acbb  
d66740b3ed3884c31d40e3747684411eRedLine 302207c3248257d4d9badf4bc4b75483svhost-system-update.net:80http://dl4.joxi.net/drive/2021/04/19/0048/3592/3153416/16/d07409594a.proj
43660f882cc5971ab83a810398487317RedLine 6d3e8a2802848d259a3baaaa78701b9737.1.206.16:7575 
192b8ee95537dda7927ba3b45183e6a4Remcos b8e9ce084d9d49f565f850c59b003bcf http://joxi.net/52ap4j7tkJER7m.proj
1ae425ac2890283ddcf11946e7e8f6aeQuasarRat 723f5e75239b66e3d08b83a131c7b66c  
20621960888a6299123ce5a2df5eabbaRemcos f174c03d177a04e81677e9c9a9eae0c8  
27b62f7b4b285b880b8c81960aa60b15Remcos cf45b793bc9ec86bfedfa165c01ede15  
2d15a4c9184878e25bdf108bd58290b8Remcos de2ff99ca086a8ad0f9b8027aef696ba  
37bbbbc44c80ff4fe770ce78f6a37ebdRemcos 73790d28f4f8f0f4c402da66c8dc393f  
603b1cc2d5488dcd8bb0a3b14429c88bRemcos 23c5bc4a2e69c3f171561b524ceb4098  
62c8efb35b3b9c10e965ec5a236fed2dRemcos 4def35aedc86a946c13118e14127e0e9  
a948e8d3222b9fa8ccbd091230098b78Remcos 85c700ff566161c77a03f282fa48a246  
ecdb2860af9ce2754d178c80e3303080QuasarRat 7870a7c7e355d1fbf357c846d8bf2aea  
fe84ead033bfeaee70f84d8733b51e08RedLine 4023e57ffbc87aa93621a7c2a6f0b425  

VirusTotal Detection Score:

72214c84e2.proj

vwnfmo.lnk

If you find this article interesting. Visit our site to read more:

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.