Threat actors are using Microsoft Build Engine (MSBuild) to deliver remote access trojans (RATs) and RedLine stealer (password-stealing malware) filelessly.
MSBuild is a free and open-source build toolset for managed code as well as native C++ code and was part of the .NET Framework. It is used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.
A Russian image-hosting site (joxi[.]net) was used to host shellcodes and encoded executables. Using MSBuild allows the attackers to avoid detection while loading the malicious code into memory.
“The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations,” concludes Anomali. “This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially.”