Malicious campaigns have recently been spotted abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on vulnerable machines. MSBuild, which was designed for the construction of Windows applications, uses a project file element called 'Tasks' to designate components that are executed during project building, and threat actors are misusing these Tasks to launch malicious code disguised as MSBuild. Renato Marinho, a Morphus Labs security researcher, and SANS Internet Storm Center (ISC) handler claims that two different malicious campaigns have been discovered utilizing MSBuild for code execution in the last week.
MSBuild is a build tool that aids in the automation of the software development process, including source code compilation, packaging, testing, deployment, and documentation creation. It is feasible to build Visual Studio projects and solutions with MSBuild even if the Visual Studio IDE is not installed. MSBuild is a free and open-source software. MSBuild was previously included with the.NET Framework; however, starting with Visual Studio 2013, it is now included with Visual Studio. MSBuild is a functional replacement for the nmake utility, which is still used in projects created with previous Visual Studio editions.
MSBuild operates on MSBuild project files, which have an XML syntax comparable to Apache Ant or NAnt. Despite the fact that the syntax is based on a well-defined XML schema, the fundamental structure and operation are comparable to the traditional Unix make utility: the user specifies what will be used (typically source code files) and what the result should be (typically a static library, DLL, or executable application), but the utility decides what to do and in which order to carry out the build.
Threat actors often obtain access to the target environment through the use of a genuine remote desktop protocol (RDP) account, then employ remote Windows Services (SCM) for lateral movement and MSBuild to execute the Cobalt Strike Beacon payload. The malicious MSBuild project was created to build and run certain C# code, which then decodes and executes Cobalt Strike.
Marinho further claims that after confirming that Beacon was used in the attack, he was able to decrypt the SSL-encrypted communication with the command and control (C&C) server. To avoid such attacks, the researcher recommends that enterprises use the Windows Defender Application Control (WDAC) policy to restrict Microsoft-signed applications that potentially allow the execution of other malware. MSBuild generates a list of these apps.
“There is a note for MSBuild.exe, though, that if the system is used in a development context to build managed applications, the recommendation is to allow MSBuild.exe in the code integrity policies,” Marinho concluded.