Authored by: Tara Gould and Gage Mele
- Anomali Threat Research identified a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer
- This campaign, which has low or zero detections on antivirus tools, appears to have begun in April 2021 and was still ongoing as of May 11, 2021.
- We were unable to determine how the .proj files were distributed, and are unable to make a confident assessment on attribution because both RemcosRAT and RedLine Stealer are commodity malware.
Anomali Threat Research discovered a campaign in which threat actors used MSBuild - a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” - to filelessly deliver RemcosRAT, and RedLine stealer using callbacks. The malicious MSBuild files we observed in this campaign contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, “joxi[.]net.” While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples we analyzed deliver Remcos as the final payload.
Figure 1 - Infection chain
MSBuild is a development tool used for building applications, especially where Visual Studio is not installed. MSBuild uses XML project files that contain the specifications to compile the project and, within the configuration file, the “UsingTask” element defines the task that will be compiled by MSBuild. In addition, MSBuild has an inline task feature that enables code to be specified and compiled by MSBuild and executed in memory. This ability for code to be executed in memory is what enables threat actors to use MSBuild in fileless attacks.
A fileless attack is a technique used by threat actors to compromise a machine while limiting the chances of being detected. Fileless malware typically uses a legitimate application to load the malware into memory, therefore leaving no traces of infection on the machine and making it difficult to detect. An analysis by network security vendor WatchGuard released in 2021 showed a 888% increase in fileless attacks from 2019 to 2020, illustrating the massive growth in the use of this attack technique, which is likely related to threat actor confidence that such attacks will be successful.
MSBuild Project File (.proj) Analysis
Analyzed File – imaadp32.proj
MD5 – 45c94900f312b2002c9c445bd8a59ae6
The file we analyzed is called “imaadp32.proj,” and as shown in Figure 2 below, is an MSBuild project file (.proj). For persistence, mshta is used to execute a vbscript that runs the project file, with a shortcut file (.lnk) added to the startup folder (Figure 3).
Figure 2 - MSBuild Project Schema for immadp32.proj
Figure 3 - .lnk File Created in Startup Folder
Following the creation of persistence, two large arrays of decimal bytes were decoded by the function shown in Figure 4.
Figure 4 - Decoding Function
Porting the decoding function to Python, we created a script (Figure 5 below). By using the variable “dec_list” to contain the decimal to be converted, and the variable “key” representing the string found at the end of decimal, we decoded the function.
def decode_array(dec_list, key): key_array =  position_array =  for position in list(range(256)): key_array.append(key[position % len(key)]) position_array.append(position) xxZmgLbpuJ = 0 for position in list(range(256)): xxZmgLbpuJ = (xxZmgLbpuJ + position_array[position] + ord(key_array[position])) % 256 YAFIh = position_array[position] position_array[position] = position_array[xxZmgLbpuJ] position_array[xxZmgLbpuJ] = YAFIh DmqRsaOvxUH = 0 xxZmgLbpuJ = 0 new_array =  for position in list(range(len(dec_list))): DmqRsaOvxUH += 1 DmqRsaOvxUH %= 256 xxZmgLbpuJ += position_array[DmqRsaOvxUH] xxZmgLbpuJ %= 256 YAFIh = position_array[DmqRsaOvxUH] position_array[DmqRsaOvxUH] = position_array[xxZmgLbpuJ] position_array[xxZmgLbpuJ] = YAFIh new_array.append(dec_list[position] ^ position_array[((position_array[DmqRsaOvxUH] + position_array[xxZmgLbpuJ]) % 256)]) return new_array
Figure 5 - Python Script to Decode
The output decimal list from this function was then converted from bytes, resulting in an executable for the first block and shellcode for the second block.
The malware and shellcode were allocated memory in the process space using VirtualAlloc. After being copied into memory, the shellcode was executed using the callback function pointer in CallWindowProc, shown in Figure 6 below. Other samples leverage the function Delegate.DynamicInvoke instead.
Figure 6 - Shellcode and Payload Being Loaded Into Memory
Figure 7 - Encoded shellcode in Project File
The shellcode (encoded shown in Figure 7 above) calls, shown in Figure 8 below, were mainly: LoadLibraryW, VirtualAlloc, CreateProccessW, and ZwUnmapViewOfSection. LoadLibraryW loads the module, VirtualAlloc allocates the memory, CreateProcessW created a process, and ZwUnmapViewOfSection is used to unmap memory from a virtual space. These were used to inject the payload into process memory.
Figure 8 - Calls made by the shellcode
Analyzed File –
MD5 – 04fc0ca4062dd014d64dcb2fe8dbc966
The payload from the project files was a remote access tool (RAT) called Remcos. Remcos is a commercial software created by Breaking Security that, according to their user manual, can be used for remote control, remote admin, remote anti-theft, remote support and pentesting. However, Remcos has often been used by threat actors for malicious purposes. The software, written in C++, enables full access to the infected machine with features including, but not limited to:
- Credential harvesting
- Gathering system information
- Screen capture
- Script execution
The themes used by actors to distribute Remcos have varied, including changes designed to adapt to themes or timeframes. For example, recent Remcos campaigns were observed utilizing Tax Day lures. The version used in this campaign was 2.6.0, which was released in July 2020 (Figure 9). Additional functions Remcos has been known to utilize are shown in Table 1 below. The persistence technique is simply adding a run registry key for persistence (Figure 11). Remcos has also been observed using its “Watchdog” feature to restart the RAT if it is terminated (Figure 12).
Figure 9 - Remcos Version 2.6.0 Being Used
Figure 10 - connecting to C2
Figure 11 - Adds Run Registry Key for Persistence
Figure 12 - Watchdog Module
Figure 12 shows the “Watchdog” module which restarts Remcos in the event the program is terminated.
Table 1 - Remcos 2.6.0 Features
|Webcam Capture||Remote Command Line|
|Clear Logins||Remote Chat|
|File Manager||Remote Input|
|Microphone Capture||SOCKS Proxy|
|Screen Logger||Local Utilities|
|Browser History||Registry Editor|
|Password Recovery||Visibility mode|
Analyzed File – rehoboams.exe
MD5 – 6d3e8a2802848d259a3baaaa78701b97
In a similar MSBuild project file to the Remcos dropping .proj file, we found another project file named “vwnfmo.lnk“ where RedLine Stealer was dropped instead of Remcos, shown in Figure 13 below. RedLine Stealer is written in .NET and has been observed stealing multiple types of data (full list shown in Table 2 below), including: :
- Credentials (chat clients, VPNs, crypto wallets, browser )
- Crypto wallet
- NordVPN (existence of and credentials)
- Stored web browser information (credit card, username, and password)
- System Information
RedLine will search for the existence of multiple products that include cryptocurrency software, messaging apps, VPNs, and web browsers (full list shown in Table 2 below).
Figure 13 - RedLine .NET Information Stealer
Figure 14 - RedLine Functions
Figure 15 - Checks for NordVPN Installation
Figure 15 above shows RedLine checking for NordVPN on the machine. If the path exists, the next function of this malware is to check for the user config to steal the credentials. This function also enables RedLine to steal credentials for additional installed applications.
Table 2 - Installs RedLine Scans for
|Chrome||GameLauncher for Steam|
|DesktopMessenger for Telegram||NordVPN|
The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations. This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially. Focusing on cybersecurity training and hygiene, as well as a defense-in-depth strategy, are some recommended courses of action for countering this threat.
 “MSBuild,” Microsoft Visual Studio Docs, accessed May 3, 2021, published November 4, 2016, https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2019.
 “What Is Fileless Malware?,” McAfee, accessed May 3, 2021, https://www.mcafee.com/enterprise/en-gb/security-awareness/ransomware/what-is-fileless-malware.html.
 “Internet Security Report – Q4 2020,” WatchGuard, accessed May 4, 2021, published March 30, 2021, https://www.watchguard.com/uk/wgrd-resource-center/security-report-q4-2020, 3.
 “Remcos Instructions Manual,” Breaking Security, accessed May 4, 2021, published July 2018, https://breaking-security.net/wp-content/uploads/dlm_uploads/2018/07/Remcos-Instructions-Manual-rev19.pdf, 15-16.
 Daniel Frank, “Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware,” Cybereason, accessed May 4, 2021, published March 18, 2021, https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers.
MITRE ATT&CK TTPs Matrix
|Execution||T1059.003||Windows Command Shell|
|T1547.001||Registry Run Keys / Startup Folder|
|Privilege Escalation||T1548.002||Abuse Elevation Control: Bypass User Account Control|
|Defense Evasion||T1140||Deobfuscate/Decode Files or Information|
|T1027||Obfuscated Files or Information|
|T1055.002||Portable Executable Injection|
|T1127||Trusted Developer Utilities Proxy|
|T1218.005||Signed Binary Proxy Execution: Mshta|
|Credential Access||T1555||Credentials from Password Stores|
|T1555.003||Credentials from Web Browsers|
|T1539||Steal Web Session Cookie|
|T1083||File and Directory Discovery|
|T1518.001||Security Software Discovery|
|T1082||System Information Discovery|
|T1614||System Location Discovery|
|T1033||System Owner/User Discovery|
|T1124||System Time Discovery|
|Command and Control||T1105||Ingress Tool Transfer|
|Exfiltration||T1041||Exfiltration Over C2 Channel|
Zero Detection on VirusTotal