Anomali Threat Research discovered a campaign in which threat actors used MSBuild a tool used for building apps and gives users an XML schema that controls how the build platform processes and builds software to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.

MSBuild is a free and open-source build tool set for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema that controls how the build platform processes and builds software to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.

The MSBuild files employed in the attacks spotted by the experts contained encoded executables and shellcode, some of which were hosted on Russian image-hosting site (joxi.net). The use of MSBuild allows the attackers to avoid detection while loading the malicious code into memory.

Most of the samples analyzed by Anomali were used to deliver the Remcos RAT, while others were also delivering the Quasar RAT and RedLine Stealer.

Remcos is a commercial software that can be used for remote control, remote admin, remote anti-theft, remote support and pentesting. The Quasar RAT is available for free on GitHub, many other attackers used it in their campaigns, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats.

The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations.

This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially.