Last Updated on 04/01/2022 by Sanskriti
Two independent malicious operations using MSBuild to launch the Cobalt Strike payload on targeted PCs were detected by a researcher from Morphus Labs.
The attackers utilize an RDP account to obtain access to the target environment, then use distant Windows Services and MSBuild to launch the Cobalt Strike Beacon payload.
The Beacon is used to decode SSL-encrypted communications between the C2 server and the client.
The researchers used the same decryption function to decode the code run by the MSBuild project and encrypted variable buff, which stores the decrypted malicious material.
The new malicious effort is not the first to exploit MSBuild; the toolset has already been exploited by a variety of attackers.
MSBuild was utilized to execute a file filled with Metasploit payload in one atypical implementation of Hades’ incursion in June.
In May, attackers were detected utilizing MSBuild to propagate information-stealing malware and remote access tools (RATs).
For their purposes, attackers continue to use open-source and authorized technologies. The researchers claim that the Windows Defender Application Control (WDAC) policy, which bans programs from executing malicious payloads, can thwart these types of assaults.Marinho concludes, “There is a note for MSBuild.exe, though, that if the system is used in a development context to build managed applications, the recommendation is to allow MSBuild.exe in the code integrity policies,”