Thursday, May 23, 2024
HomeCyber CrimeThreat Actors Abuse MSBuild for Cobalt Strike Beacon Execution

Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution

Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution Malicious operations have recently been spotted abusing Microsoft Build Engine (MSBuild). This is to execute the Cobalt Strike payload on vulnerable machines.

MSBuild, which is used to create Windows applications, has a project file element called ‘Tasks’ to indicate components that are executed during project development. The threat actors are misusing these Tasks to run malicious code posing as MSBuild.

Two independent malicious campaigns have been seen utilizing MSBuild for code execution in the last week.  According to Morphus Labs security researcher and SANS Internet Storm Center (ISC) handler Renato Marinho.

According to security researchers from threat intelligence firm Anomali, an ongoing campaign exploits the Microsoft Build Engine (MSBuild) infrastructure for fileless malware delivery.

MSBuild, which is described as Microsoft’s and Visual Studio’s build infrastructure, contains a capability that allows developers to request that code be executed in memory. These adversaries have taken use of in a new campaign for fileless delivery of malicious payloads.

The threat actors often employ a genuine remote desktop protocol (RDP) account to obtain access to the target environment, then use remote Windows Services (SCM) for lateral movement and MSBuild to execute the Cobalt Strike Beacon payload.

The malicious MSBuild project was created to build and run certain C# code, which decodes and runs Cobalt Strike.


Marinho further claims that after confirming that Beacon was used in the attack, he was able to decrypt the SSL-encrypted communication with the command and control server.

Organizations should set the Windows Defender Application Control (WDAC) policy to block Microsoft-signed applications that potentially allow for the execution of other code to keep protected from such threats, according to the researcher. MSBuild generates a list of such programmes.

“There is a note for MSBuild.exe, however,” Marinho concludes, “that if the system is utilized in a development context to create managed programmes, the recommendation is to allow MSBuild.exe in the code integrity policies.”

The Overview of the Story

Threat actors utilised MSBuild – a tool for building apps that gives customers an XML schema “that governs how the build platform processes and builds software” – to filelessly deploy RemcosRAT and RedLine stealer utilising callbacks, according to Anomali Threat Research.

Some of the malicious MSBuild files we found in this campaign contained encoded executable and shell code, and some of them were hosted on the Russian image-hosting site “joxi[.]net.”

While we were unable to ascertain how the.proj files were distributed, the goal of these files was to run Remcos or RedLine Stealer. Remcos are the ultimate payload in the vast majority of the samples we examined.

What is MSBuild?

MSBuild is a development tool that is used to create programmes when Visual Studio is not available.  MSBuild compiles projects using XML project files that include the specifications, and the “UsingTask” element in the configuration file. It defines the task that will be compiled by MSBuild. Furthermore, MSBuild offers an inline task capability that allows code to be specified, compiled, and performed in memory by MSBuild. Threat actors can use MSBuild in fileless assaults because of its ability to execute code in memory.

This was in news that Cobalt Strike was not happened before the APT attacks. Cobalt Strike is designated to be Windows-only malware.




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us