Hackers have abused an open source development tool provided by Microsoft to deliver password-stealing trojans to unsuspecting victims.
Security researchers at Anomali Threat Research observed a new campaign whereby threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver the Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer.
Researchers said the campaign appeared to have begun in April this year and was ongoing. Hackers used MSBuild — a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” — to deliver RemcosRAT and RedLine stealer using callbacks.
The files delivered contained encoded executables and shellcode — some were hosted on Russian image-hosting site, “joxi[.]net.” While researchers couldn’t determine the distribution method of the .proj files, these files’ objective was to execute either Remcos or RedLine Stealer. Most of the malware analyzed delivered Remcos as the final payload.
Once installed on the victim’s computer, the Remcos trojan allows hackers to remote control, remote admin, remote anti-theft, remote support, and pentest a machine.
RELATED RESOURCE
While Remcos is commercial software created by Breaking Security, hackers often use it for malicious purposes. Researchers said the software enables full access to the infected machine with features like anti-AV, credential harvesting, gathering system information, keylogging, persistence, screen capture, script execution, and more.
The other malware observed in the campaign is Redline Stealer. This malware is written in .Net and when installed on a victim’s system, it can steal multiple types of data, such as cookies, credentials, crypto wallets, NordVPN credentials, stored web browser information, and system information. It will also search for multiple products, including cryptocurrency software, messaging apps, VPNs, and web browsers.
Using MSBuild allows hackers to evade detection while installing malicious payloads directly to a targeted computer's memory.
"The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations," said researchers.
"This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially."
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
CronRat Magecart malware uses 31st February date to remain undetectedNews The malware allows for server-side payment skimming that bypasses browser security
-
Mekotio trojan continues to spread despite its operators’ arrestsNews Hackers have used it in 100 more attacks since arrests
-
“Trojan Source” hides flaws in source code from humansNews Organizations urged to take action to combat the new threat that could result in SolarWinds-style attacks
-
What is Emotet?In-depth A deep dive into one of the most infamous and prolific strains of malware
-
Fake AnyDesk Google ads deliver malwareNews Malware pushed through Google search results
-
Android users told to be on high alert after Cerberus banking Trojan leaks to the dark webNews The source code for the authenticator-breaking malware is available for free on underground forums
-
Qbot malware surges into the top-ten most common business threatsNews An evolved form of the banking Trojan was distributed by number one-ranking Emotet in a campaign that hit 5% of businesses globally
-
BlackRock banking Trojan targets Android apps
News Trojan steals login credentials and credit card information and has targeted more than 300 apps
