{"id":6042,"date":"2021-05-17T03:59:03","date_gmt":"2021-05-17T03:59:03","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=6042"},"modified":"2021-05-17T03:59:05","modified_gmt":"2021-05-17T03:59:05","slug":"hackers-abuse-microsoft-build-engine","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/","title":{"rendered":"Hackers Abuse Microsoft Build Engine to Deliver Password-Stealing Malware Filelessly"},"content":{"rendered":"\n<p>Anomali Threat Research recognized a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer.<\/p>\n\n\n\n<p>Threat actors used MSBuild, a tool used for building apps and gives users an XML schema \u201cthat controls how the build platform processes and builds software\u201d to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Infection Chain<\/strong><\/h3>\n\n\n\n<p>Security researchers <a href=\"https:\/\/www.anomali.com\/blog\/threat-actors-use-msbuild-to-deliver-rats-filelessly\" target=\"_blank\" rel=\"noreferrer noopener\">observed<\/a> that the malicious MSBuild files contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, \u201cjoxi[.]net.\u201d<\/p>\n\n\n\n<p><em>Researchers mention, \u201cIt was unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples analyzed deliver Remcos as the final payload\u201d.<\/em><\/p>\n\n\n\n<div class=\"wp-block-image is-style-default\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-pGoErmowOqM\/YKHoyCXxAnI\/AAAAAAAANIg\/sS_tqMl3naoR9xvGm0ecv3Cw9sIisRNfwCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine1.png\" alt=\"\"\/><figcaption><em>Infection Chain<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>MSBuild has an inline task feature that enables code to be specified and compiled by MSBuild and executed in memory. This ability for code to be executed in memory is what enables threat actors to use MSBuild in fileless attacks.<\/p>\n\n\n\n<p>Fileless malware usually uses a legitimate application to load the malware into memory, thus leaving no traces of infection on the machine and making it difficult to detect.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>RemcosRAT<\/strong><\/h3>\n\n\n\n<p>Most of the malware analyzed delivered Remcos as the final payload. Once installed on the victim\u2019s computer, the Remcos trojan allows hackers to remote control, remote admin, remote anti-theft, remote support, and pentest a machine.<\/p>\n\n\n\n<p>Researchers said the software enables full access to the infected machine with features like anti-AV, credential harvesting, gathering system information, keylogging, persistence, screen capture, script execution, and more.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>What is Redline Stealer Malware?<\/strong><\/h3>\n\n\n\n<p>The other malware observed in the campaign is Redline Stealer. This malware is written in .Net and when installed on a victim\u2019s system, it can steal multiple types of data, such as cookies, credentials, crypto wallets, NordVPN credentials, stored web browser information, and system information.<\/p>\n\n\n\n<p>RedLine will search for the existence of multiple products that include cryptocurrency software, messaging apps, VPNs, and web browsers.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Final Word<\/strong><\/h4>\n\n\n\n<p>This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially. Focusing on cybersecurity training and hygiene, as well as a defense-in-depth strategy, are some recommended courses of action for countering this threat.<\/p>\n\n\n\n<p><strong>Also Read<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/cybersecuritynews.com\/teabot-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">TeaBot \u2013 A New Malware that stealing victim\u2019s Credentials and Intercepting SMS Messages<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/cybersecuritynews.com\/security-flaws-russian-hackers\/\" target=\"_blank\" rel=\"noreferrer noopener\">Top 12 Security Flaws Exploited by Russian Hackers to Target Organisations Globally<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Anomali Threat Research recognized a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer. Threat actors used MSBuild, a tool used for building apps and gives users an XML schema \u201cthat controls how the build platform processes and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6044,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-pVWgBClqVwQ\/YKHoyIDAFzI\/AAAAAAAANIc\/aGBKt5i7JFMgufCBlhOgUnbZQnY7_rCdgCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine.png","fifu_image_alt":"Hackers Abuse Microsoft Build Engine","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[10,48],"tags":[149,266],"class_list":{"0":"post-6042","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-security","8":"category-threats","9":"tag-cyber-security","10":"tag-malware"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.7.1 (Yoast SEO v25.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Hackers Abuse Microsoft Build Engine to Deliver Malware<\/title>\n<meta name=\"description\" content=\"Anomali Threat Research recognized a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hackers Abuse Microsoft Build Engine to Deliver Password-Stealing Malware Filelessly\" \/>\n<meta property=\"og:description\" content=\"Anomali Threat Research recognized a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Security News\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Hackingtutorialsandnews\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/guruba008\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-17T03:59:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-05-17T03:59:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-pVWgBClqVwQ\/YKHoyIDAFzI\/AAAAAAAANIc\/aGBKt5i7JFMgufCBlhOgUnbZQnY7_rCdgCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine.png\" \/>\n<meta name=\"author\" content=\"Guru Baran\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-pVWgBClqVwQ\/YKHoyIDAFzI\/AAAAAAAANIc\/aGBKt5i7JFMgufCBlhOgUnbZQnY7_rCdgCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine.png\" \/>\n<meta name=\"twitter:creator\" content=\"@guruba008\" \/>\n<meta name=\"twitter:site\" content=\"@The_Cyber_News\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Guru Baran\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Hackers Abuse Microsoft Build Engine to Deliver Malware","description":"Anomali Threat Research recognized a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/","og_locale":"en_US","og_type":"article","og_title":"Hackers Abuse Microsoft Build Engine to Deliver Password-Stealing Malware Filelessly","og_description":"Anomali Threat Research recognized a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware","og_url":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/","og_site_name":"Cyber Security News","article_publisher":"https:\/\/www.facebook.com\/Hackingtutorialsandnews","article_author":"https:\/\/www.facebook.com\/guruba008","article_published_time":"2021-05-17T03:59:03+00:00","article_modified_time":"2021-05-17T03:59:05+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-pVWgBClqVwQ\/YKHoyIDAFzI\/AAAAAAAANIc\/aGBKt5i7JFMgufCBlhOgUnbZQnY7_rCdgCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine.png","type":"","width":"","height":""}],"author":"Guru Baran","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-pVWgBClqVwQ\/YKHoyIDAFzI\/AAAAAAAANIc\/aGBKt5i7JFMgufCBlhOgUnbZQnY7_rCdgCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine.png","twitter_creator":"@guruba008","twitter_site":"@The_Cyber_News","twitter_misc":{"Written by":"Guru Baran","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/#article","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/"},"author":{"name":"Guru Baran","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026"},"headline":"Hackers Abuse Microsoft Build Engine to Deliver Password-Stealing Malware Filelessly","datePublished":"2021-05-17T03:59:03+00:00","dateModified":"2021-05-17T03:59:05+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/"},"wordCount":425,"publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"image":{"@id":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-pVWgBClqVwQ\/YKHoyIDAFzI\/AAAAAAAANIc\/aGBKt5i7JFMgufCBlhOgUnbZQnY7_rCdgCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine.png?w=728&resize=728,380&ssl=1","keywords":["cyber security","malware"],"articleSection":["Cyber Security","Threats"],"inLanguage":"en-US","copyrightYear":"2021","copyrightHolder":{"@id":"https:\/\/cybersecuritynews.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/","url":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/","name":"Hackers Abuse Microsoft Build Engine to Deliver Malware","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/#primaryimage"},"image":{"@id":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-pVWgBClqVwQ\/YKHoyIDAFzI\/AAAAAAAANIc\/aGBKt5i7JFMgufCBlhOgUnbZQnY7_rCdgCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine.png?w=728&resize=728,380&ssl=1","datePublished":"2021-05-17T03:59:03+00:00","dateModified":"2021-05-17T03:59:05+00:00","description":"Anomali Threat Research recognized a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware","breadcrumb":{"@id":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/#primaryimage","url":"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-pVWgBClqVwQ\/YKHoyIDAFzI\/AAAAAAAANIc\/aGBKt5i7JFMgufCBlhOgUnbZQnY7_rCdgCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine.png?w=728&resize=728,380&ssl=1","contentUrl":"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-pVWgBClqVwQ\/YKHoyIDAFzI\/AAAAAAAANIc\/aGBKt5i7JFMgufCBlhOgUnbZQnY7_rCdgCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine.png?w=728&resize=728,380&ssl=1","width":"728","height":"380","caption":"Hackers Abuse Microsoft Build Engine"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cybersecuritynews.com\/"},{"@type":"ListItem","position":2,"name":"Hackers Abuse Microsoft Build Engine to Deliver Password-Stealing Malware Filelessly"}]},{"@type":"WebSite","@id":"https:\/\/cybersecuritynews.com\/#website","url":"https:\/\/cybersecuritynews.com\/","name":"Cyber Security News","description":"World&#039;s #1 Premier Cybersecurity and Hacking News Portal","publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecuritynews.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cybersecuritynews.com\/#organization","name":"Cyber Security News","url":"https:\/\/cybersecuritynews.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/","url":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","contentUrl":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","width":200,"height":200,"caption":"Cyber Security News"},"image":{"@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Hackingtutorialsandnews","https:\/\/x.com\/The_Cyber_News","https:\/\/www.linkedin.com\/company\/cybersecurity-news\/"]},{"@type":"Person","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026","name":"Guru Baran","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","caption":"Guru Baran"},"description":"Gurubaran is the Co-Founder and Editor-in-Chief of CyberSecurityNews.com, specializing in vulnerability analysis, malware research, ransomware, and computer forensics.","sameAs":["https:\/\/cybersecuritynews.com","https:\/\/www.facebook.com\/guruba008","https:\/\/www.linkedin.com\/in\/gurubaran-cyberwrites\/","https:\/\/x.com\/guruba008"],"url":"https:\/\/cybersecuritynews.com\/author\/guru\/"}]}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-pVWgBClqVwQ\/YKHoyIDAFzI\/AAAAAAAANIc\/aGBKt5i7JFMgufCBlhOgUnbZQnY7_rCdgCLcBGAsYHQ\/s16000\/Hackers%2BAbuse%2BMicrosoft%2BBuild%2BEngine.png?w=728&resize=728,380&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/6042","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/comments?post=6042"}],"version-history":[{"count":1,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/6042\/revisions"}],"predecessor-version":[{"id":6043,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/6042\/revisions\/6043"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media\/6044"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media?parent=6042"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/categories?post=6042"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/tags?post=6042"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}