A new fileless malware campaign exploits a malicious MSBuild tool

Cybercriminals use Microsoft Build Engine to deliver info-stealing RATs that can evade detection

Evildoers distribute perilous computer infections encoded in legitimate Microsoft files

Anomali Threat Research has reported^[1] that unknown threat actors have been distributing password-stealing remote access trojans, knowns as RATs in the cybersecurity community, encoded in MSBuild.exe files. This is a legitimate Microsoft Inc. file^[2] and process that's a platform for building applications. The malware campaign possibly was active for a month until the research took place.

Although the report was submitted on May 13, 2021, the research group speculates that the malicious campaign began in April and was still going strong at the time of writing. The report is long and detailed, but the researchers haven't discovered how the infectious files with .proj marker were actually delivered.

But they managed to identify three specific infections that were being distributed – Quasar RAT, Remcos RAT, and RedLine Stealer. The scary thing about this research is that trustworthy anti-malware, and virus detection tools are helpless as very few have detected the malware.

Malware capable of stealing passwords, credentials, webcam data

The malicious MSBuild files observed by the Anomali group contained encoded executables and shellcodes. The majority of the files had Remcos^[3] (Remote Control and Surveillance) RAT payloads. This cyber infection is extremely dangerous as its primary purpose is to control the infected device. All gathered information is seamlessly sent to a secret, remote server of the assailants.

Threats can:

• record keystrokes,
• steal private data (banking credentials, usernames, passwords, etc.),
• monitor and store information transmitted through the webcam and microphone,
• download additional malware,
• steal personal files,
• disable security software, and so on.

Another discovered malware distributed during the campaign is RedLine Stealer.^[4] Unlike the first virus, it's not meant to take control of the device but, as its name suggests, is able to steal autocomplete data, saved logins (for cryptocurrency wallets, banks, social media platforms, emails, etc.), and credit card information.

And last but not least, the Quasar RAT^[5] was the third virus spread by the threat actors. Its functions are almost identical to the ones of the Remos RAT. All of these infections are available for purchase in underground forums.

Fileless delivery helps to bypass the security software

Developers of security software have to big up their game as reports indicate^[6] that fileless payload file creations and distribution have skyrocketed since 2019 by a staggering 888%. Essentially, fileless malware is a type of malicious software that spreads camouflaged as legitimate applications or files.

Most notable attacks using such concealed delivery techniques emerged in 2017. Various computer infections that are being distributed in such a manner are very hard to detect and remove, as they don't rely on files and leave practically no footprint.

This makes it ideal for malware developers to stay undetected and carry out various evil deeds for an indefinite period of time. Cybercriminals can create modern infections to use fewer resources and send collected victim data back to the assailants when the PC is idle so the user wouldn't spot an increase in the network traffic.

The Anomali researchers have pointed out that reliance on antivirus software alone is just not enough to protect devices from fileless malware:

Focusing on cybersecurity training and hygiene, as well as a defense-in-depth strategy, are some recommended courses of action for countering this threat.