Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution Malicious operations have recently been spotted abusing Microsoft Build Engine (MSBuild). This is to execute the Cobalt Strike payload on vulnerable machines.
MSBuild, which is used to create Windows applications, has a project file element called ‘Tasks’ to indicate components that are executed during project development. The threat actors are misusing these Tasks to run malicious code posing as MSBuild.
Two independent malicious campaigns have been seen utilizing MSBuild for code execution in the last week. According to Morphus Labs security researcher and SANS Internet Storm Center (ISC) handler Renato Marinho.
According to security researchers from threat intelligence firm Anomali, an ongoing campaign exploits the Microsoft Build Engine (MSBuild) infrastructure for fileless malware delivery.
MSBuild, which is described as Microsoft’s and Visual Studio’s build infrastructure, contains a capability that allows developers to request that code be executed in memory. These adversaries have taken use of in a new campaign for fileless delivery of malicious payloads.
The threat actors often employ a genuine remote desktop protocol (RDP) account to obtain access to the target environment, then use remote Windows Services (SCM) for lateral movement and MSBuild to execute the Cobalt Strike Beacon payload.
The malicious MSBuild project was created to build and run certain C# code, which decodes and runs Cobalt Strike.
Marinho further claims that after confirming that Beacon was used in the attack, he was able to decrypt the SSL-encrypted communication with the command and control server.
Organizations should set the Windows Defender Application Control (WDAC) policy to block Microsoft-signed applications that potentially allow for the execution of other code to keep protected from such threats, according to the researcher. MSBuild generates a list of such programmes.
“There is a note for MSBuild.exe, however,” Marinho concludes, “that if the system is utilized in a development context to create managed programmes, the recommendation is to allow MSBuild.exe in the code integrity policies.”
The Overview of the Story
Threat actors utilised MSBuild – a tool for building apps that gives customers an XML schema “that governs how the build platform processes and builds software” – to filelessly deploy RemcosRAT and RedLine stealer utilising callbacks, according to Anomali Threat Research.
Some of the malicious MSBuild files we found in this campaign contained encoded executable and shell code, and some of them were hosted on the Russian image-hosting site “joxi[.]net.”
While we were unable to ascertain how the.proj files were distributed, the goal of these files was to run Remcos or RedLine Stealer. Remcos are the ultimate payload in the vast majority of the samples we examined.
What is MSBuild?
MSBuild is a development tool that is used to create programmes when Visual Studio is not available. MSBuild compiles projects using XML project files that include the specifications, and the “UsingTask” element in the configuration file. It defines the task that will be compiled by MSBuild. Furthermore, MSBuild offers an inline task capability that allows code to be specified, compiled, and performed in memory by MSBuild. Threat actors can use MSBuild in fileless assaults because of its ability to execute code in memory.
This was in news that Cobalt Strike was not happened before the APT attacks. Cobalt Strike is designated to be Windows-only malware.