HQ/EMEAFind out how we can help your business
Experts have recently discovered that a group of threat actors has been conducting a malicious campaign that takes advantage of the MSBuild or Microsoft Build Engine to run the Cobalt Strike Beacon in their attacks.
The MSBuild is a Microsoft open-source toolset for resident C++ code managed script and a fragment of a [.]net framework.
Based on the reports submitted by the experts, they found two distinct malicious campaigns that target the Microsoft Build Engine to operate the Cobalt Strike payload on marked targets.
The threat actors first acquire access to the target’s environment with an RDP (Remote Desktop Protocol) user account, then utilise remote Windows Services for effortless lateral movement around the system and MSBuild to operate the payload of Cobalt Strike Beacon.
The Cobalt Strike Beacon is then employed to decrypt SSL encrypted communications with the command-and-control servers. To study the code operated by the Microsoft build project, the researchers decrypted variable buff storing the locked malicious files and the same decryption feature to decrypt the code.
The MSBuild has been abused by hackers’ multiple times before the issue of Cobalt Strike Beacon.
The Cobalt Strike Beacon deployment is not the first time threat actors have abused MSBuild because hackers have been beating the toolset in the past.
In June 2021, the Hades ransomware group used the Microsoft Build toolset to run a file that had been laden with Metasploit payload. Also, researchers discovered separate threat actors exploiting the MSBuild to distribute information stealer malware and remote access trojans.
Malicious threat actors exploit the MSBuild open-source and legitimate toolsets for their campaigns. However, the researchers have stated that the Windows Defender Application Control or “WDAC” policy can obstruct these kinds of attacks as it prevents multiple applications from executing malicious payloads such as Cobalt Strike Beacon.
Experts still warn everybody that being complaisant will still cause grave damage to themselves and others. Therefore, it is vital to be attentive to every process in the system, even if WDAC is present.
