May 13, 2021
-
Anomali Threat Research
,
Threat Actors Use MSBuild to Deliver RATs Filelessly
<p><em>Authored by: Tara Gould and Gage Mele</em></p> <h3>Key Findings</h3> <ul> <li>Anomali Threat Research identified a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer</li> <li>This campaign, which has low or zero detections on antivirus tools, appears to have begun in April 2021 and was still ongoing as of May 11, 2021.</li> <li>We were unable to determine how the .proj files were distributed, and are unable to make a confident assessment on attribution because both RemcosRAT and RedLine Stealer are commodity malware.</li> </ul> <h2>Overview</h2> <p>Anomali Threat Research discovered a campaign in which threat actors used MSBuild - a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” - to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.<sup>[1]</sup> The malicious MSBuild files we observed in this campaign contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, “joxi[.]net.” While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples we analyzed deliver Remcos as the final payload.</p> <p style="text-align: center;"><em><strong><img alt="Infection chain" src="https://cdn.filestackcontent.com/mD2moKWSTWCvT4Mfe2jc"/><br/> Figure 1</strong> - Infection chain</em></p> <h2>Technical Analysis</h2> <h3>MSBuild</h3> <p>MSBuild is a development tool used for building applications, especially where Visual Studio is not installed.<sup>[2]</sup> MSBuild uses XML project files that contain the specifications to compile the project and, within the configuration file, the “UsingTask” element defines the task that will be compiled by MSBuild. In addition, MSBuild has an inline task feature that enables code to be specified and compiled by MSBuild and executed in memory. This ability for code to be executed in memory is what enables threat actors to use MSBuild in fileless attacks.</p> <p>A fileless attack is a technique used by threat actors to compromise a machine while limiting the chances of being detected.<sup>[3]</sup> Fileless malware typically uses a legitimate application to load the malware into memory, therefore leaving no traces of infection on the machine and making it difficult to detect. An analysis by network security vendor WatchGuard released in 2021 showed a 888% increase in fileless attacks from 2019 to 2020, illustrating the massive growth in the use of this attack technique, which is likely related to threat actor confidence that such attacks will be successful.<sup>[4]</sup></p> <h3>MSBuild Project File (.proj) Analysis</h3> <p><strong>Analyzed File</strong> – imaadp32.proj</p> <p><strong>MD5</strong> – 45c94900f312b2002c9c445bd8a59ae6</p> <p>The file we analyzed is called “imaadp32.proj,” and as shown in Figure 2 below, is an MSBuild project file (.proj). For persistence, mshta is used to execute a vbscript that runs the project file, with a shortcut file (.lnk) added to the startup folder (Figure 3).</p> <p style="text-align: center;"><em><strong><img alt="MSBuild Project Schema for immadp32.proj" src="https://cdn.filestackcontent.com/t200KFVmReMBJynWJW8g"/><br/> Figure 2</strong> - MSBuild Project Schema for immadp32.proj</em></p> <p style="text-align: center;"><em><strong><img alt=".lnk Registry Run Key Created in Startup Folder" src="https://cdn.filestackcontent.com/D83sL6YThSrM5nYHDwbh"/><br/> Figure 3</strong> - .lnk File Created in Startup Folder</em></p> <p>Following the creation of persistence, two large arrays of decimal bytes were decoded by the function shown in Figure 4.</p> <p style="text-align: center;"><em><strong><img alt="Decoding Function" src="https://cdn.filestackcontent.com/7i2NEzZzQyaYJZsZCMOK"/><br/> Figure 4</strong> - Decoding Function</em></p> <p>Porting the decoding function to Python, we created a script (Figure 5 below). By using the variable “dec_list” to contain the decimal to be converted, and the variable “key” representing the string found at the end of decimal, we decoded the function.</p> <pre> def decode_array(dec_list, key): key_array = [] position_array = [] for position in list(range(256)): key_array.append(key[position % len(key)]) position_array.append(position) xxZmgLbpuJ = 0 for position in list(range(256)): xxZmgLbpuJ = (xxZmgLbpuJ + position_array[position] + ord(key_array[position])) % 256 YAFIh = position_array[position] position_array[position] = position_array[xxZmgLbpuJ] position_array[xxZmgLbpuJ] = YAFIh DmqRsaOvxUH = 0 xxZmgLbpuJ = 0 new_array = [] for position in list(range(len(dec_list))): DmqRsaOvxUH += 1 DmqRsaOvxUH %= 256 xxZmgLbpuJ += position_array[DmqRsaOvxUH] xxZmgLbpuJ %= 256 YAFIh = position_array[DmqRsaOvxUH] position_array[DmqRsaOvxUH] = position_array[xxZmgLbpuJ] position_array[xxZmgLbpuJ] = YAFIh new_array.append(dec_list[position] ^ position_array[((position_array[DmqRsaOvxUH] + position_array[xxZmgLbpuJ]) % 256)]) return new_array </pre> <p style="text-align: center;"><em><strong>Figure 5</strong> - Python Script to Decode</em></p> <p>The output decimal list from this function was then converted from bytes, resulting in an executable for the first block and shellcode for the second block.</p> <h2>Shellcode</h2> <p>The malware and shellcode were allocated memory in the process space using VirtualAlloc. After being copied into memory, the shellcode was executed using the callback function pointer in CallWindowProc, shown in Figure 6 below. Other samples leverage the function Delegate.DynamicInvoke instead.</p> <p style="text-align: center;"><em><strong><img alt="Shellcode and Payload Being Loaded Into Memory" src="https://cdn.filestackcontent.com/KphXLpIATmikW09rIg8g"/><br/> Figure 6</strong> - Shellcode and Payload Being Loaded Into Memory</em></p> <p style="text-align: center;"><em><strong><img alt="Encoded shellcode in Project File" src="https://cdn.filestackcontent.com/JpWliX5TCeOMvln6VTUA"/><br/> Figure 7</strong> - Encoded shellcode in Project File</em></p> <p>The shellcode (encoded shown in Figure 7 above) calls, shown in Figure 8 below, were mainly: LoadLibraryW, VirtualAlloc, CreateProccessW, and ZwUnmapViewOfSection. LoadLibraryW loads the module, VirtualAlloc allocates the memory, CreateProcessW created a process, and ZwUnmapViewOfSection is used to unmap memory from a virtual space. These were used to inject the payload into process memory.</p> <p style="text-align: center;"><em><strong><img alt="Calls made by the shellcode" src="https://cdn.filestackcontent.com/MnTpmekBSUiCOt1wLoo1"/><br/> Figure 8</strong> - Calls made by the shellcode</em></p> <h2>Payloads</h2> <h3>RemcosRAT</h3> <p><strong>Analyzed File</strong> –</p> <p><strong>MD5</strong> – 04fc0ca4062dd014d64dcb2fe8dbc966</p> <p>The payload from the project files was a remote access tool (RAT) called Remcos. Remcos is a commercial software created by Breaking Security that, according to their user manual, can be used for remote control, remote admin, remote anti-theft, remote support and pentesting.[5] However, Remcos has often been used by threat actors for malicious purposes. The software, written in C++, enables full access to the infected machine with features including, but not limited to:</p> <ul> <li>Anti-AV</li> <li>Credential harvesting</li> <li>Gathering system information</li> <li>Keylogging</li> <li>Persistence</li> <li>Screen capture</li> <li>Script execution</li> </ul> <p>The themes used by actors to distribute Remcos have varied, including changes designed to adapt to themes or timeframes. For example, recent Remcos campaigns were observed utilizing Tax Day lures.<sup>[6]</sup> The version used in this campaign was 2.6.0, which was released in July 2020 (Figure 9). Additional functions Remcos has been known to utilize are shown in Table 1 below. The persistence technique is simply adding a run registry key for persistence (Figure 11). Remcos has also been observed using its “Watchdog” feature to restart the RAT if it is terminated (Figure 12).</p> <p style="text-align: center;"><em><strong><img alt="Remcos Version 2.6.0 Being Used" src="https://cdn.filestackcontent.com/8itZGVEZT1l7RD90Uakw"/><br/> Figure 9</strong> - Remcos Version 2.6.0 Being Used</em></p> <p style="text-align: center;"><em><strong><img alt="connecting to C2" src="https://cdn.filestackcontent.com/TbgnUUQTTaWjhXnNCjLs"/><br/> Figure 10</strong> - connecting to C2</em></p> <p style="text-align: center;"><em><strong><img alt="Adds Run Registry Key for Persistence" src="https://cdn.filestackcontent.com/xLliB61SS6cs9LaT6A84"/><br/> Figure 11</strong> - Adds Run Registry Key for Persistence</em></p> <p style="text-align: center;"><em><strong><img alt="Watchdog Module" src="https://cdn.filestackcontent.com/YTFNhjogRSCHRY7AfAtX"/><br/> Figure 12</strong> - Watchdog Module</em></p> <p>Figure 12 shows the “Watchdog” module which restarts Remcos in the event the program is terminated.</p> <p><em><strong>Table 1</strong> - Remcos 2.6.0 Features</em></p> <table class="table table-bordered"> <tbody> <tr> <td>Remote Scripting</td> <td>Notifications</td> </tr> <tr> <td>Webcam Capture</td> <td>Remote Command Line</td> </tr> <tr> <td>Clear Logins</td> <td>Remote Chat</td> </tr> <tr> <td>File Manager</td> <td>Remote Input</td> </tr> <tr> <td>Microphone Capture</td> <td>SOCKS Proxy</td> </tr> <tr> <td>Keylogger</td> <td>Login Cleaner</td> </tr> <tr> <td>Screen Logger</td> <td>Local Utilities</td> </tr> <tr> <td>Browser History</td> <td>Registry Editor</td> </tr> <tr> <td>Password Recovery</td> <td>Visibility mode</td> </tr> </tbody> </table> <h3>RedLine Stealer</h3> <p><strong>Analyzed File</strong> – rehoboams.exe</p> <p><strong>MD5</strong> – 6d3e8a2802848d259a3baaaa78701b97</p> <p>In a similar MSBuild project file to the Remcos dropping .proj file, we found another project file named “vwnfmo.lnk“ where RedLine Stealer was dropped instead of Remcos, shown in Figure 13 below. RedLine Stealer is written in .NET and has been observed stealing multiple types of data (full list shown in Table 2 below), including: :</p> <ul> <li>Cookies</li> <li>Credentials (chat clients, VPNs, crypto wallets, browser )</li> <li>Crypto wallet</li> <li>NordVPN (existence of and credentials)</li> <li>Stored web browser information (credit card, username, and password)</li> <li>System Information</li> </ul> <p>RedLine will search for the existence of multiple products that include cryptocurrency software, messaging apps, VPNs, and web browsers (full list shown in Table 2 below).</p> <p style="text-align: center;"><em><strong><img alt="RedLine .NET Information Stealer" src="https://cdn.filestackcontent.com/cHt72igiRFKcXBb5wUGm"/><br/> Figure 13</strong> - RedLine .NET Information Stealer</em></p> <p style="text-align: center;"><em><strong><img alt="RedLine Functions" src="https://cdn.filestackcontent.com/Lle3HEf4RuSCD1mOonzL"/><br/> Figure 14</strong> - RedLine Functions</em></p> <p style="text-align: center;"><em><strong><img alt="Checks for NordVPN Installation" src="https://cdn.filestackcontent.com/lPvpDpRR1qHGQvJDhIHF"/><br/> Figure 15</strong> - Checks for NordVPN Installation</em></p> <p>Figure 15 above shows RedLine checking for NordVPN on the machine. If the path exists, the next function of this malware is to check for the user config to steal the credentials. This function also enables RedLine to steal credentials for additional installed applications.</p> <p><em><strong>Table 2</strong> - Installs RedLine Scans for</em></p> <table class="table table-bordered"> <tbody> <tr> <td>Chrome</td> <td>GameLauncher for Steam</td> </tr> <tr> <td>Filezilla</td> <td>Guarda</td> </tr> <tr> <td>Gecko</td> <td>Jaxx</td> </tr> <tr> <td>Armory</td> <td>Metamask</td> </tr> <tr> <td>Atomic</td> <td>Monero</td> </tr> <tr> <td>Coinom</td> <td>OpenVPN</td> </tr> <tr> <td>DesktopMessenger for Telegram</td> <td>NordVPN</td> </tr> <tr> <td>Discord</td> <td>ProtonVPN</td> </tr> <tr> <td>Electrum</td> <td>Tronlink</td> </tr> <tr> <td>Ethereum</td> <td>Yoroi</td> </tr> </tbody> </table> <h2>Conclusion</h2> <p>The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations. This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially. Focusing on cybersecurity training and hygiene, as well as a defense-in-depth strategy, are some recommended courses of action for countering this threat.</p> <h2>Endnotes</h2> <p><sup>[1]</sup> “MSBuild,” Microsoft Visual Studio Docs, accessed May 3, 2021, published November 4, 2016, https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2019.</p> <p><sup>[2]</sup> Ibid.</p> <p><sup>[3]</sup> “What Is Fileless Malware?,” McAfee, accessed May 3, 2021, https://www.mcafee.com/enterprise/en-gb/security-awareness/ransomware/what-is-fileless-malware.html.</p> <p><sup>[4]</sup> “Internet Security Report – Q4 2020,” WatchGuard, accessed May 4, 2021, published March 30, 2021, https://www.watchguard.com/uk/wgrd-resource-center/security-report-q4-2020, 3.</p> <p><sup>[5]</sup> “Remcos Instructions Manual,” Breaking Security, accessed May 4, 2021, published July 2018, https://breaking-security.net/wp-content/uploads/dlm_uploads/2018/07/Remcos-Instructions-Manual-rev19.pdf, 15-16.</p> <p><sup>[6]</sup> Daniel Frank, “Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware,” Cybereason, accessed May 4, 2021, published March 18, 2021, https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers.</p> <h2>Appendix A</h2> <h3>IOCs</h3> <table class="table table-striped table-bordered break-word"> <tbody> <tr> <th>Project File</th> <th>Payload</th> <th>C2</th> <th>Details</th> </tr> <tr> <td>45c94900f312b2002c9c445bd8a59ae6</td> <td>Remcos 04fc0ca4062dd014d64dcb2fe8dbc966</td> <td>135.181.170.169:50845</td> <td> </td> </tr> <tr> <td>d8a57534382a07cc0487b96350bca761</td> <td>Remcos eb8b1d64429e00f2b3b49f886ee3b0b4</td> <td> </td> <td>http://dl4.joxi.net/drive/2021/04/15/0048/3592/3153416/16/b8c104ce64.png</td> </tr> <tr> <td>d52d6bad3d11e9a72998608ccca572f5</td> <td>Remcos 41c0bb6e89ad89af8eef7bec40d4acbb</td> <td> </td> <td> </td> </tr> <tr> <td>d66740b3ed3884c31d40e3747684411e</td> <td>RedLine 302207c3248257d4d9badf4bc4b75483</td> <td>svhost-system-update.net:80</td> <td>http://dl4.joxi.net/drive/2021/04/19/0048/3592/3153416/16/d07409594a.proj</td> </tr> <tr> <td>43660f882cc5971ab83a810398487317</td> <td>RedLine 6d3e8a2802848d259a3baaaa78701b97</td> <td>37.1.206.16:7575</td> <td> </td> </tr> <tr> <td>192b8ee95537dda7927ba3b45183e6a4</td> <td>Remcos b8e9ce084d9d49f565f850c59b003bcf</td> <td> </td> <td><a href="https://www.virustotal.com/gui/url/db5c6f82f2b27fa9a03c87b37bb41292989d06847272099be02a535de19582c4">http://joxi.net/52ap4j7tkJER7m.proj</a></td> </tr> <tr> <td>1ae425ac2890283ddcf11946e7e8f6ae</td> <td>QuasarRat 723f5e75239b66e3d08b83a131c7b66c</td> <td> </td> <td> </td> </tr> <tr> <td>20621960888a6299123ce5a2df5eabba</td> <td>Remcos f174c03d177a04e81677e9c9a9eae0c8</td> <td> </td> <td> </td> </tr> <tr> <td>27b62f7b4b285b880b8c81960aa60b15</td> <td>Remcos cf45b793bc9ec86bfedfa165c01ede15</td> <td> </td> <td> </td> </tr> <tr> <td>2d15a4c9184878e25bdf108bd58290b8</td> <td>Remcos de2ff99ca086a8ad0f9b8027aef696ba</td> <td> </td> <td> </td> </tr> <tr> <td>37bbbbc44c80ff4fe770ce78f6a37ebd</td> <td>Remcos 73790d28f4f8f0f4c402da66c8dc393f</td> <td> </td> <td> </td> </tr> <tr> <td>603b1cc2d5488dcd8bb0a3b14429c88b</td> <td>Remcos 23c5bc4a2e69c3f171561b524ceb4098</td> <td> </td> <td> </td> </tr> <tr> <td>62c8efb35b3b9c10e965ec5a236fed2d</td> <td>Remcos 4def35aedc86a946c13118e14127e0e9</td> <td> </td> <td> </td> </tr> <tr> <td>a948e8d3222b9fa8ccbd091230098b78</td> <td>Remcos 85c700ff566161c77a03f282fa48a246</td> <td> </td> <td> </td> </tr> <tr> <td>ecdb2860af9ce2754d178c80e3303080</td> <td>QuasarRat 7870a7c7e355d1fbf357c846d8bf2aea</td> <td> </td> <td> </td> </tr> <tr> <td>fe84ead033bfeaee70f84d8733b51e08</td> <td>RedLine 4023e57ffbc87aa93621a7c2a6f0b425</td> <td> </td> <td> </td> </tr> </tbody> </table> <h2>Appendix B</h2> <h3>MITRE ATT&CK TTPs Matrix</h3> <table class="table table-striped table-bordered"> <tbody> <tr> <th>Technique</th> <th>ID</th> <th>Name</th> </tr> <tr> <td rowspan="2"><strong>Execution</strong></td> <td>T1059.003</td> <td>Windows Command Shell</td> </tr> <tr> <td>T1059.006</td> <td>Python</td> </tr> <tr> <td rowspan="2"><strong>Persistence</strong></td> <td><a href="https://attack.mitre.org/techniques/T1547">T1547</a>.009</td> <td>Shortcut Modification</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1547">T1547</a>.001</td> <td><a href="https://attack.mitre.org/techniques/T1547/001">Registry Run Keys / Startup Folder</a></td> </tr> <tr> <td rowspan="3"><strong>Privilege Escalation</strong></td> <td>T1548.002</td> <td>Abuse Elevation Control: Bypass User Account Control</td> </tr> <tr> <td>T1055</td> <td>Process Injection</td> </tr> <tr> <td>T1055.012</td> <td>Process Hollowing</td> </tr> <tr> <td rowspan="10"><strong>Defense Evasion</strong></td> <td>T1140</td> <td>Deobfuscate/Decode Files or Information</td> </tr> <tr> <td>T1112</td> <td>Modify Registry</td> </tr> <tr> <td>T1027</td> <td>Obfuscated Files or Information</td> </tr> <tr> <td>T1055</td> <td>Process Injection</td> </tr> <tr> <td>T1055.002</td> <td>Portable Executable Injection</td> </tr> <tr> <td>T1055.012</td> <td>Process Hollowing</td> </tr> <tr> <td>T1127</td> <td>Trusted Developer Utilities Proxy</td> </tr> <tr> <td>T1127.001</td> <td>MSBuild</td> </tr> <tr> <td>T1497.001</td> <td>System Checks</td> </tr> <tr> <td>T1218.005</td> <td>Signed Binary Proxy Execution: Mshta</td> </tr> <tr> <td rowspan="5"><strong>Credential Access</strong></td> <td>T1555</td> <td>Credentials from Password Stores</td> </tr> <tr> <td>T1555.003</td> <td>Credentials from Web Browsers</td> </tr> <tr> <td>T1539</td> <td>Steal Web Session Cookie</td> </tr> <tr> <td>T1056</td> <td>Input Capture</td> </tr> <tr> <td>T1056.001</td> <td>Keylogging</td> </tr> <tr> <td rowspan="8"><strong>Discovery</strong></td> <td>T1087</td> <td>Account Discovery</td> </tr> <tr> <td>T1083</td> <td>File and Directory Discovery</td> </tr> <tr> <td>T1518</td> <td>Software Discovery</td> </tr> <tr> <td>T1518.001</td> <td>Security Software Discovery</td> </tr> <tr> <td>T1082</td> <td>System Information Discovery</td> </tr> <tr> <td>T1614</td> <td>System Location Discovery</td> </tr> <tr> <td>T1033</td> <td>System Owner/User Discovery</td> </tr> <tr> <td>T1124</td> <td>System Time Discovery</td> </tr> <tr> <td rowspan="4"><strong>Collection</strong></td> <td>T1123</td> <td>Audio Capture</td> </tr> <tr> <td>T1115</td> <td>Clipboard Data</td> </tr> <tr> <td>T1113</td> <td>Screen Capture</td> </tr> <tr> <td>T1125</td> <td>Video Capture</td> </tr> <tr> <td rowspan="2"><strong>Command and Control</strong></td> <td>T1105</td> <td>Ingress Tool Transfer</td> </tr> <tr> <td>T1090</td> <td>Proxy</td> </tr> <tr> <td><strong>Exfiltration</strong></td> <td>T1041</td> <td>Exfiltration Over C2 Channel</td> </tr> </tbody> </table> <h2>Appendix C</h2> <p>Zero Detection on VirusTotal</p> <p><img alt="Zero Detection on VirusTotal" src="https://cdn.filestackcontent.com/mHyHsKKORtib7FFOfSsX"/></p> <p><img alt="Zero Detection on VirusTotal" src="https://cdn.filestackcontent.com/gADdzWHzRyoFKMwfuCyZ"/></p>
