MSBuild Used By Threat Actors to Deliver RATs Filelessly

Threat Actors Use MSBuild to Deliver RATs Filelessly

Authored by: Tara Gould and Gage Mele

Key Findings

  • Anomali Threat Research identified a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer
  • This campaign, which has low or zero detections on antivirus tools, appears to have begun in April 2021 and was still ongoing as of May 11, 2021.
  • We were unable to determine how the .proj files were distributed, and are unable to make a confident assessment on attribution because both RemcosRAT and RedLine Stealer are commodity malware.

Overview

Anomali Threat Research discovered a campaign in which threat actors used MSBuild - a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” - to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.[1] The malicious MSBuild files we observed in this campaign contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, “joxi[.]net.” While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples we analyzed deliver Remcos as the final payload.

Infection chain
Figure 1
- Infection chain

Technical Analysis

MSBuild

MSBuild is a development tool used for building applications, especially where Visual Studio is not installed.[2] MSBuild uses XML project files that contain the specifications to compile the project and, within the configuration file, the “UsingTask” element defines the task that will be compiled by MSBuild. In addition, MSBuild has an inline task feature that enables code to be specified and compiled by MSBuild and executed in memory. This ability for code to be executed in memory is what enables threat actors to use MSBuild in fileless attacks.

A fileless attack is a technique used by threat actors to compromise a machine while limiting the chances of being detected.[3] Fileless malware typically uses a legitimate application to load the malware into memory, therefore leaving no traces of infection on the machine and making it difficult to detect. An analysis by network security vendor WatchGuard released in 2021 showed a 888% increase in fileless attacks from 2019 to 2020, illustrating the massive growth in the use of this attack technique, which is likely related to threat actor confidence that such attacks will be successful.[4]

MSBuild Project File (.proj) Analysis

Analyzed File – imaadp32.proj

MD5 – 45c94900f312b2002c9c445bd8a59ae6

The file we analyzed is called “imaadp32.proj,” and as shown in Figure 2 below, is an MSBuild project file (.proj). For persistence, mshta is used to execute a vbscript that runs the project file, with a shortcut file (.lnk) added to the startup folder (Figure 3).

MSBuild Project Schema for immadp32.proj
Figure 2
- MSBuild Project Schema for immadp32.proj

.lnk Registry Run Key Created in Startup Folder
Figure 3
- .lnk File Created in Startup Folder

Following the creation of persistence, two large arrays of decimal bytes were decoded by the function shown in Figure 4.

Decoding Function
Figure 4
- Decoding Function

Porting the decoding function to Python, we created a script (Figure 5 below). By using the variable “dec_list” to contain the decimal to be converted, and the variable “key” representing the string found at the end of decimal, we decoded the function.

def decode_array(dec_list, key):

    key_array = []
    position_array = []

for position in list(range(256)):
        key_array.append(key[position % len(key)])
        position_array.append(position)

        xxZmgLbpuJ = 0
for position in list(range(256)):
        xxZmgLbpuJ = (xxZmgLbpuJ + position_array[position] + ord(key_array[position])) % 256
        YAFIh = position_array[position]
        position_array[position] = position_array[xxZmgLbpuJ]
        position_array[xxZmgLbpuJ] = YAFIh

        DmqRsaOvxUH = 0
        xxZmgLbpuJ = 0
        new_array = []
for position in list(range(len(dec_list))):
        DmqRsaOvxUH += 1
        DmqRsaOvxUH %= 256
        xxZmgLbpuJ += position_array[DmqRsaOvxUH]
        xxZmgLbpuJ %= 256
        YAFIh = position_array[DmqRsaOvxUH]
        position_array[DmqRsaOvxUH] = position_array[xxZmgLbpuJ]
        position_array[xxZmgLbpuJ] = YAFIh
        new_array.append(dec_list[position] ^ position_array[((position_array[DmqRsaOvxUH] + position_array[xxZmgLbpuJ]) % 256)])


    return new_array

Figure 5 - Python Script to Decode

The output decimal list from this function was then converted from bytes, resulting in an executable for the first block and shellcode for the second block.

Shellcode

The malware and shellcode were allocated memory in the process space using VirtualAlloc. After being copied into memory, the shellcode was executed using the callback function pointer in CallWindowProc, shown in Figure 6 below. Other samples leverage the function Delegate.DynamicInvoke instead.

Shellcode and Payload Being Loaded Into Memory
Figure 6
- Shellcode and Payload Being Loaded Into Memory

Encoded shellcode in Project File
Figure 7
- Encoded shellcode in Project File

The shellcode (encoded shown in Figure 7 above) calls, shown in Figure 8 below, were mainly: LoadLibraryW, VirtualAlloc, CreateProccessW, and ZwUnmapViewOfSection. LoadLibraryW loads the module, VirtualAlloc allocates the memory, CreateProcessW created a process, and ZwUnmapViewOfSection is used to unmap memory from a virtual space. These were used to inject the payload into process memory.

Calls made by the shellcode
Figure 8
- Calls made by the shellcode

Payloads

RemcosRAT

Analyzed File

MD5 – 04fc0ca4062dd014d64dcb2fe8dbc966

The payload from the project files was a remote access tool (RAT) called Remcos. Remcos is a commercial software created by Breaking Security that, according to their user manual, can be used for remote control, remote admin, remote anti-theft, remote support and pentesting.[5] However, Remcos has often been used by threat actors for malicious purposes. The software, written in C++, enables full access to the infected machine with features including, but not limited to:

  • Anti-AV
  • Credential harvesting
  • Gathering system information
  • Keylogging
  • Persistence
  • Screen capture
  • Script execution

The themes used by actors to distribute Remcos have varied, including changes designed to adapt to themes or timeframes. For example, recent Remcos campaigns were observed utilizing Tax Day lures.[6] The version used in this campaign was 2.6.0, which was released in July 2020 (Figure 9). Additional functions Remcos has been known to utilize are shown in Table 1 below. The persistence technique is simply adding a run registry key for persistence (Figure 11). Remcos has also been observed using its “Watchdog” feature to restart the RAT if it is terminated (Figure 12).

Remcos Version 2.6.0 Being Used
Figure 9
- Remcos Version 2.6.0 Being Used

connecting to C2
Figure 10
- connecting to C2

Adds Run Registry Key for Persistence
Figure 11
- Adds Run Registry Key for Persistence

Watchdog Module
Figure 12
- Watchdog Module

Figure 12 shows the “Watchdog” module which restarts Remcos in the event the program is terminated.

Table 1 - Remcos 2.6.0 Features

Remote ScriptingNotifications
Webcam CaptureRemote Command Line
Clear LoginsRemote Chat
File ManagerRemote Input
Microphone CaptureSOCKS Proxy
KeyloggerLogin Cleaner
Screen LoggerLocal Utilities
Browser HistoryRegistry Editor
Password RecoveryVisibility mode

RedLine Stealer

Analyzed File – rehoboams.exe

MD5 – 6d3e8a2802848d259a3baaaa78701b97

In a similar MSBuild project file to the Remcos dropping .proj file, we found another project file named “vwnfmo.lnk“ where RedLine Stealer was dropped instead of Remcos, shown in Figure 13 below. RedLine Stealer is written in .NET and has been observed stealing multiple types of data (full list shown in Table 2 below), including: :

  • Cookies
  • Credentials (chat clients, VPNs, crypto wallets, browser )
  • Crypto wallet
  • NordVPN (existence of and credentials)
  • Stored web browser information (credit card, username, and password)
  • System Information

RedLine will search for the existence of multiple products that include cryptocurrency software, messaging apps, VPNs, and web browsers (full list shown in Table 2 below).

RedLine .NET Information Stealer
Figure 13
- RedLine .NET Information Stealer

RedLine Functions
Figure 14
- RedLine Functions

Checks for NordVPN Installation
Figure 15
- Checks for NordVPN Installation

Figure 15 above shows RedLine checking for NordVPN on the machine. If the path exists, the next function of this malware is to check for the user config to steal the credentials. This function also enables RedLine to steal credentials for additional installed applications.

Table 2 - Installs RedLine Scans for

ChromeGameLauncher for Steam
FilezillaGuarda
GeckoJaxx
ArmoryMetamask
AtomicMonero
CoinomOpenVPN
DesktopMessenger for TelegramNordVPN
DiscordProtonVPN
ElectrumTronlink
EthereumYoroi

Conclusion

The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations. This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially. Focusing on cybersecurity training and hygiene, as well as a defense-in-depth strategy, are some recommended courses of action for countering this threat.

Endnotes

[1] “MSBuild,” Microsoft Visual Studio Docs, accessed May 3, 2021, published November 4, 2016, https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2019.

[2] Ibid.

[3] “What Is Fileless Malware?,” McAfee, accessed May 3, 2021, https://www.mcafee.com/enterprise/en-gb/security-awareness/ransomware/what-is-fileless-malware.html.

[4] “Internet Security Report – Q4 2020,” WatchGuard, accessed May 4, 2021, published March 30, 2021, https://www.watchguard.com/uk/wgrd-resource-center/security-report-q4-2020, 3.

[5] “Remcos Instructions Manual,” Breaking Security, accessed May 4, 2021, published July 2018, https://breaking-security.net/wp-content/uploads/dlm_uploads/2018/07/Remcos-Instructions-Manual-rev19.pdf, 15-16.

[6] Daniel Frank, “Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware,” Cybereason, accessed May 4, 2021, published March 18, 2021, https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers.

Appendix A

IOCs

Project FilePayloadC2Details
45c94900f312b2002c9c445bd8a59ae6Remcos 04fc0ca4062dd014d64dcb2fe8dbc966135.181.170.169:50845 
d8a57534382a07cc0487b96350bca761Remcos eb8b1d64429e00f2b3b49f886ee3b0b4 http://dl4.joxi.net/drive/2021/04/15/0048/3592/3153416/16/b8c104ce64.png
d52d6bad3d11e9a72998608ccca572f5Remcos 41c0bb6e89ad89af8eef7bec40d4acbb  
d66740b3ed3884c31d40e3747684411eRedLine 302207c3248257d4d9badf4bc4b75483svhost-system-update.net:80http://dl4.joxi.net/drive/2021/04/19/0048/3592/3153416/16/d07409594a.proj
43660f882cc5971ab83a810398487317RedLine 6d3e8a2802848d259a3baaaa78701b9737.1.206.16:7575 
192b8ee95537dda7927ba3b45183e6a4Remcos b8e9ce084d9d49f565f850c59b003bcf http://joxi.net/52ap4j7tkJER7m.proj
1ae425ac2890283ddcf11946e7e8f6aeQuasarRat 723f5e75239b66e3d08b83a131c7b66c  
20621960888a6299123ce5a2df5eabbaRemcos f174c03d177a04e81677e9c9a9eae0c8  
27b62f7b4b285b880b8c81960aa60b15Remcos cf45b793bc9ec86bfedfa165c01ede15  
2d15a4c9184878e25bdf108bd58290b8Remcos de2ff99ca086a8ad0f9b8027aef696ba  
37bbbbc44c80ff4fe770ce78f6a37ebdRemcos 73790d28f4f8f0f4c402da66c8dc393f  
603b1cc2d5488dcd8bb0a3b14429c88bRemcos 23c5bc4a2e69c3f171561b524ceb4098  
62c8efb35b3b9c10e965ec5a236fed2dRemcos 4def35aedc86a946c13118e14127e0e9  
a948e8d3222b9fa8ccbd091230098b78Remcos 85c700ff566161c77a03f282fa48a246  
ecdb2860af9ce2754d178c80e3303080QuasarRat 7870a7c7e355d1fbf357c846d8bf2aea  
fe84ead033bfeaee70f84d8733b51e08RedLine 4023e57ffbc87aa93621a7c2a6f0b425  

Appendix B

MITRE ATT&CK TTPs Matrix

TechniqueIDName
ExecutionT1059.003Windows Command Shell
T1059.006Python
PersistenceT1547.009Shortcut Modification
T1547.001Registry Run Keys / Startup Folder
Privilege EscalationT1548.002Abuse Elevation Control: Bypass User Account Control
T1055Process Injection
T1055.012Process Hollowing
Defense EvasionT1140Deobfuscate/Decode Files or Information
T1112Modify Registry
T1027Obfuscated Files or Information
T1055Process Injection
T1055.002Portable Executable Injection
T1055.012Process Hollowing
T1127Trusted Developer Utilities Proxy
T1127.001MSBuild
T1497.001System Checks
T1218.005Signed Binary Proxy Execution: Mshta
Credential AccessT1555Credentials from Password Stores
T1555.003Credentials from Web Browsers
T1539Steal Web Session Cookie
T1056Input Capture
T1056.001Keylogging
DiscoveryT1087Account Discovery
T1083File and Directory Discovery
T1518Software Discovery
T1518.001Security Software Discovery
T1082System Information Discovery
T1614System Location Discovery
T1033System Owner/User Discovery
T1124System Time Discovery
CollectionT1123Audio Capture
T1115Clipboard Data
T1113Screen Capture
T1125Video Capture
Command and ControlT1105Ingress Tool Transfer
T1090Proxy
ExfiltrationT1041Exfiltration Over C2 Channel

Appendix C

Zero Detection on VirusTotal

Zero Detection on VirusTotal

Zero Detection on VirusTotal

Subscribe to the Anomali Newsletter

Get the latest Anomali updates and cybersecurity news straight to your inbox each month.

Subscribe Now