[the_ad id="12394"]
HomeNewsCobalt Strike Beacon executed using MSBuild

Cobalt Strike Beacon executed using MSBuild

-

Two independent malicious operations using MSBuild to launch the Cobalt Strike payload on targeted PCs were detected by a researcher from Morphus Labs.

The attackers utilize an RDP account to obtain access to the target environment, then use distant Windows Services and MSBuild to launch the Cobalt Strike Beacon payload.

The Beacon is used to decode SSL-encrypted communications between the C2 server and the client.

The researchers used the same decryption function to decode the code run by the MSBuild project and encrypted variable buff, which stores the decrypted malicious material.

The new malicious effort is not the first to exploit MSBuild; the toolset has already been exploited by a variety of attackers.

MSBuild was utilized to execute a file filled with Metasploit payload in one atypical implementation of Hades’ incursion in June.

In May, attackers were detected utilizing MSBuild to propagate information-stealing malware and remote access tools (RATs).

For their purposes, attackers continue to use open-source and authorized technologies. The researchers claim that the Windows Defender Application Control (WDAC) policy, which bans programs from executing malicious payloads, can thwart these types of assaults.Marinho concludes, “There is a note for MSBuild.exe, though, that if the system is used in a development context to build managed applications, the recommendation is to allow MSBuild.exe in the code integrity policies,”

Sanskriti
Sanskriti loves technology in general and ensures to keep TheDigitalHacker audience aware of the latest trends, updates, and data breaches.

Must Read

Google is manufacturing an AR Headset

0
The hunt monster has as of late started increasing work on an AR headset, inside codenamed Project Iris, which it desires to deliver in...