Cybercriminals are abusing it Microsoft Build Engine (MSBuild) to develop Remote Access (RAT) tools and fileless malware (info-stealing malware).
MSBuild (msbuild.exe) is an open-source, legitimate Microsoft application development platform.
This tool can create applications on any Windows system, provided it comes with an XML schema project file, which tells it how to automate the creation process (compilation, packaging, testing and deployment).
As her research team observed Anomaly, the malicious MSBuild project files delivered to this hacking campaign, grouped encrypted executable files and shellcodes that criminals used to introduction of final payloads in memory of recent spawned processes.
"While we were unable to determine the method of distributing the .proj files, the purpose of these files was to Remcos either the RedLine StealerAnomali analysts said.
Theft credentials and other sensitive information
The assailants began to install the Remcos RAT, Quasar RAT and RedLine Stealer payloads on the computers of their victims last month.
Once info-stealing RATs are installed on a targeted system, they can be used to record keystrokes, steal credentials, take screenshots, and even disable antivirus software, stay in the systems for a long time and take full control of the devices remotely.
Info-stealing malware scans for web browsers, messaging applications and VPN and cryptocurrency software to steal users' credentials.
RedLine Stealer can also collect system information, cookies and crypto wallet information from configuration files and app data stored on victims' devices.
Tradition fileless malware helps prevent detection
Using Microsoft's legitimate MSBuild tool allows intruders to avoid detection while loading their malicious payloads directly into the memory of a targeted computer.
These attacks are not detected or detected by a very small number of malware.
According to a security report, the delivery fileless malware has increased significantly since 2020.
Anomali stressed that criminals used fileless malware to bypass security systems.
"This campaign highlights that relying solely on anti-virus software is not enough for cyber defense".
Source: Bleeping Computer