Malicious campaigns have been discovered taking advantage of Microsoft Build Engine (MSBuild), the open-source build toolset for native C++ code managed code, and part of .NET Framework.
What has happened?
A researcher from Morphus Labs found discovered two separate malicious campaigns targeting MSBuild to run the Cobalt Strike payload on targeted systems.
- The attackers first gain access to the target environment with an RDP account, then use remote Windows Services for lateral movement, and MSBuild to run the Cobalt Strike Beacon payload.
- The Beacon is employed for the decryption of SSL encrypted communication with the C2 server.
- To examine the code run by the MSBuild project, the researchers decrypted variable buff storing the decrypted malicious content and the same decryption function to decrypt the code.
Recent attacks on MSBuild
The recent malicious campaign is not the first one abusing the MSBuild, as the toolset has been abused by various attackers in the past as well.
- In June, in one unusual implementation of Hades’s intrusion, MSBuild was used to execute file laden with Metasploit payload.
- In May, attackers were seen abusing the MSBuild to spread information-stealers and RATs.
Conclusion
Attackers continue to take advantage of open-source and legitimate tools for their goals. However, the researchers have stated that the Windows Defender Application Control (WDAC) policy can prevent these kinds of attacks as it prevents apps from executing malicious payloads.
Source: https://cyware.com/news/msbuild-abused-for-execution-of-cobalt-strike-beacon-b18927e9