IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers use open source Microsoft dev platform to deliver trojans

Microsoft's Build Engine is being used to deploy Remcos password-stealing malware

Hackers have abused an open source development tool provided by Microsoft to deliver password-stealing trojans to unsuspecting victims.

Security researchers at Anomali Threat Research observed a new campaign whereby threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver the Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer.

Researchers said the campaign appeared to have begun in April this year and was ongoing. Hackers used MSBuild — a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” — to deliver RemcosRAT and RedLine stealer using callbacks.

The files delivered contained encoded executables and shellcode — some were hosted on Russian image-hosting site, “joxi[.]net.” While researchers couldn’t determine the distribution method of the .proj files, these files’ objective was to execute either Remcos or RedLine Stealer. Most of the malware analyzed delivered Remcos as the final payload.

Once installed on the victim’s computer, the Remcos trojan allows hackers to remote control, remote admin, remote anti-theft, remote support, and pentest a machine.

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

While Remcos is commercial software created by Breaking Security, hackers often use it for malicious purposes. Researchers said the software enables full access to the infected machine with features like anti-AV, credential harvesting, gathering system information, keylogging, persistence, screen capture, script execution, and more.

The other malware observed in the campaign is Redline Stealer. This malware is written in .Net and when installed on a victim’s system, it can steal multiple types of data, such as cookies, credentials, crypto wallets, NordVPN credentials, stored web browser information, and system information. It will also search for multiple products, including cryptocurrency software, messaging apps, VPNs, and web browsers.

Using MSBuild allows hackers to evade detection while installing malicious payloads directly to a targeted computer's memory.

"The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations," said researchers.

"This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022