Rewterz Threat Alert – MSBuild to Deliver RATs Filelessly – Active IOCs

Severity

High

Analysis Summary

Threat actors are using Microsoft Build Engine (MSBuild) to deliver remote access trojans (RATs) and RedLine stealer (password-stealing malware) filelessly.

MSBuild is a free and open-source build toolset for managed code as well as native C++ code and was part of the .NET Framework. It is used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.

A Russian image-hosting site (joxi[.]net) was used to host shellcodes and encoded executables. Using MSBuild allows the attackers to avoid detection while loading the malicious code into memory.

“The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations,” concludes Anomali. “This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially.”

Impact

• Data Breach
• Remote Access

Affected Vendors

Microsoft

Affected Products

MSBuild

Indicators of Compromise

MD5

• 45c94900f312b2002c9c445bd8a59ae6
• d8a57534382a07cc0487b96350bca761
• d52d6bad3d11e9a72998608ccca572f5
• d66740b3ed3884c31d40e3747684411e
• 43660f882cc5971ab83a810398487317
• 192b8ee95537dda7927ba3b45183e6a4
• 1ae425ac2890283ddcf11946e7e8f6ae
• 20621960888a6299123ce5a2df5eabba
• 27b62f7b4b285b880b8c81960aa60b15
• 2d15a4c9184878e25bdf108bd58290b8
• 37bbbbc44c80ff4fe770ce78f6a37ebd
• 603b1cc2d5488dcd8bb0a3b14429c88b
• 62c8efb35b3b9c10e965ec5a236fed2d
• a948e8d3222b9fa8ccbd091230098b78
• ecdb2860af9ce2754d178c80e3303080
• fe84ead033bfeaee70f84d8733b51e08

SHA-256

• 0afff9f670970072dce4ce7530654890226c4b1b3a249079a0f304f7f0309e1d
• a0fee7fc0bdb2add07ca443b69b84d35d8701af65b95d0bc04da502bea1a88b6
• 361a286eb219f4c6805632922dd676cb36c71b1fc92d7975f3b5af1c7ff6aae8
• b8f4f19c516fe1a383c2d6518ef70766ff87d4ed7755fa93688b3bd3d7453fbb
• 759b227259adf08c2ebe250c823963b14a98dd1f17065da47d7ccb7c9c7d5b60
• 6b3123769eddccc90d9bc08640aea942fd414dd919ffc747a7380e496116f813
• 132ed1b306140b416eaf871960fce6c7d8a2f11ec2b7c245a68662cda8b9877f
• fab7972ad422c46254ce6eb8b334e71db0f19ec609f1d6a16c9105189ad159c4
• 39cb804adb8a1bebd9b2d263ebcc047b9cb37477353cb2081297f2958bd85585
• 1201874c48f0efe30b745a747a4fe5140a2f8453bfb378800db9b8af6d72616f
• 4e075115d6bee8e355eece712835c186feb356edab26f5669d42e9c10e575026
• 197f97597ea424edf4c9df70742e8f959af84bc423c1dd756113ccd52c0fad5e
• bcc29672410189773ee4b7c1a14bf04166a49225fbb09d2a7d858fd19db80a13
• 05f28f55fde04d4bbefba14bc70d34cf76de890a5a2cd75458952fa03644dd04
• f9171e7ce93d18987bbb2313f1db15315a89fb58a00460eaeb058efb37d72ecd
• 0afff9f670970072dce4ce7530654890226c4b1b3a249079a0f304f7f0309e1d

SHA1

• e9b32d8dbaecdf8b7256e7b8d2922d50a94e4224
• 5de0793d1f47d8dbb5a11ae50de132dfd9ad2dab
• e984ebb43e861b33bd6db726337215910a5c7616
• d306dfc961862d5df35d589ec33c03d25175bbb1
• a2b3da969c767b348b3025e45df1abd37130069b
• c1a131083fa2bf96df16aba16c9793e47e98e9fa
• cee0b2639e7779383352fc1fd7b819e12b9149d4
• f840f15b58cecccea939a521726b352b8d25970b
• 04d62a079305c52649c6d62afe81eb8cd9e0d8fe
• 645389b8e4c7207ad297307fcebe7f3724183fb1
• f72dc74b8151b0c5579e4ea5a0576a2b3b897889
• 87364e4d0a12b276927b2c2a6a25ef8113d03ea1
• 953af7afd26d27d2d214d96a6c46b58790cf230a
• 946b4c6aa9bebb1ffa15c4dcb88f89187791661e
• a10c52fbeb163b4bc21b81478a2ba976f72af69b
• e9b32d8dbaecdf8b7256e7b8d2922d50a94e4224

Remediation

• Block IoCs at their respective controls.
• Update Information Systems Security policies to include the latest threats.
• Restrict access to sensitive data.
• Protect systems against known threats by updating firewalls and setting up intrusion detection policies.
• Use two-factor authentication.