Hackers Use Microsoft Build Engine To Deliver Fileless Malware Undetected, Research Found

Windows RAT

Microsoft has what it calls the Microsoft Build Engine, a platform for developers to build apps.

The engine that is also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software. Visual Studio uses MSBuild, but MSBuild doesn't depend on Visual Studio, meaning that developers can use it to develop products to run on places where Visual Studio is not installed.

It's a powerful tool, and this is why hackers are also using it.

Researchers from cybersecurity firm Anomali said that hackers are using malicious build files that came embedded with encoded executables and shellcode to deploy backdoors, allowing the hackers to take control of victims' machines and steal sensitive information.

Hackers are doing this using MSBuild, in order to distribute filelessly remote access trojans (RATs) and password-stealing malware on targeted Windows systems.

The researchers suggest that the campaign has been going on for at least a month.

Read: Understanding The 'Fileless Malware', And What You Can Do To Protect Yourself

MSBuild is an open-source build tool made for .NET and Visual Studio.

Developed by Microsoft, the tool allows developers to compile their app's source code. The tool also allows helps developers in their apps' packaging, testing, and deployments.

The goal of the hackers in using MSBuild, is be able to distribute the malware without being detected.

By piggybacking the tool, the hackers hope to make use a legitimate app to easily load their attack code directly into the memory, resulting in attacks that leave no traces of infections on the targeted systems.

In other words, the hackers use MSBuild to launch attacks stealthily.

As of the findings, there are two two security vendors that are flagged as malicious.

The first is through the MSBuild's vwnfmo.lnk and the second is the 72214c84e2.proj file, both of which are still undetected at every antivirus engine as of April 18.

MSBuild infection chain
MSBuild infection chain. (Credit: Anomali)

On the researchers' blog post:

"A fileless attack is a technique used by threat actors to compromise a machine while limiting the chances of being detected. Fileless malware typically uses a legitimate application to load the malware into memory, therefore leaving no traces of infection on the machine and making it difficult to detect. An analysis by network security vendor WatchGuard released in 2021 showed a 888% increase in fileless attacks from 2019 to 2020, illustrating the massive growth in the use of this attack technique, which is likely related to threat actor confidence that such attacks will be successful."

The majority of the samples analyzed by Anomali were found to deliver the Remcos RAT, which stands for 'Remote Control and Surveillance Software'.

When it's installed, it grants full access on its targets, allowing the hackers to record keystrokes, record from the microphone to the webcam, to granting the hackers the ability to execute arbitrary commands.

Others include the Quasar RAT software, which is an open-source .NET-based RAT capable of keylogging, password-stealing and others, and also the Redline Stealer, which collects user credentials from browsers, VPNs, and messaging clients, in addition to a password-stealer for wallets and cryptocurrency apps.

"The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations," Anomali researchers Tara Gould and Gage Mele said.

"This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially."