Posted on May 15, 2021 at 11:21 AM
Hackers Exploiting Microsoft Build Engine to Steal Sensitive Information
Threat actors are exploiting Microsoft Build Engine (MSBuild) to deliver remote access trojans filelessly. The malware steals passwords on compromised Windows systems.
According to cybersecurity researchers at Anomali, the malware was launched last month. The malicious build files are hidden using shellcode and executables to create a backdoor that will allow the hackers to control the targeted system and steal personal data.
MSBuild is an open-source build tool launched by Microsoft for .NET and Visual Studio. The tool enables the compilation of source codes, deployment, packaging, and testing.
Sophisticated attack
The threat actors are abusing MSBuild to filelessly attack a system while staying undetected. To avoid detection, the malware used an official application to enforce the attack code into the memory of the affected device, leaving no trace of any compromise. Such a sophisticated strategy shows that the hackers are going to great lengths to stay under the radar.
At the time of publication, only two security organizations detected the MSBuild malware (vwnfmo.lnk) as one of the files. The second malware dubbed (72214c84e2.proj) remains undetected by every anti-malware software. However, most of the samples analyzed by Anomali revealed the systems had Remcos RAT while others delivered Quasar RAT and RedLine Stealer.
When Remcos (Remote Control and Surveillance Software) is installed on a device, it grants an actor complete control of the remote adversary. Some of the features this malware detects include recording keystrokes, executing arbitrary commands, recording microphones and webcams.
On the other hand, Quasar is an open-source .NET-based RAT that steals passwords, enables keylogging, and other things. As can be told from the name, Redline Stealer steals user credentials from their browsers, VPNs, messaging platforms and even steals wallets of users dealing with cryptocurrencies.
“The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations,” Anomali researchers Tara Gould and Gage Mele said. “This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially,” Anomali explained.
Increased malware attacks
This is not the first time that threat actors are using a sophisticated approach to launch an undetected attack. A report released by Malwarebytes a few days before indicated that Magecart, a hacker group, was also using s similar approach to steal sensitive information.
This hacker group is known for conducting stealth attacks that can stay under the radar for a long time without being detected by anti-malware engines. According to Malwarebytes, the attackers were exploiting PHP backdoors to gain remote access to servers and later launch a JavaScript code to e-commerce platforms,
Magecart used the attack to target online shopping carts through a process dubbed as formjacking. A skimming code disguised as a JavaScript code is used by hackers to collect details on credit cards in real-time. The date is later transferred to a remote server.
Unlike other similar attacks that are launched on the client server, the threat actors were injecting it from the merchant side With such malware going undetected by anti-malware software, organizations have to go back to the basics of safe internet browsing. Cybersecurity vendors also have to come up with more sophisticated ways of dealing with such attacks.