Hackers Abuse Microsoft Build Engine

Anomali Threat Research recognized a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer.

Threat actors used MSBuild, a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.

Infection Chain

Security researchers observed that the malicious MSBuild files contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, “joxi[.]net.”

Researchers mention, “It was unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples analyzed deliver Remcos as the final payload”.

Infection Chain

MSBuild has an inline task feature that enables code to be specified and compiled by MSBuild and executed in memory. This ability for code to be executed in memory is what enables threat actors to use MSBuild in fileless attacks.

Fileless malware usually uses a legitimate application to load the malware into memory, thus leaving no traces of infection on the machine and making it difficult to detect.


Most of the malware analyzed delivered Remcos as the final payload. Once installed on the victim’s computer, the Remcos trojan allows hackers to remote control, remote admin, remote anti-theft, remote support, and pentest a machine.

Researchers said the software enables full access to the infected machine with features like anti-AV, credential harvesting, gathering system information, keylogging, persistence, screen capture, script execution, and more.

What is Redline Stealer Malware?

The other malware observed in the campaign is Redline Stealer. This malware is written in .Net and when installed on a victim’s system, it can steal multiple types of data, such as cookies, credentials, crypto wallets, NordVPN credentials, stored web browser information, and system information.

RedLine will search for the existence of multiple products that include cryptocurrency software, messaging apps, VPNs, and web browsers.

Final Word

This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially. Focusing on cybersecurity training and hygiene, as well as a defense-in-depth strategy, are some recommended courses of action for countering this threat.

Also Read

TeaBot – A New Malware that stealing victim’s Credentials and Intercepting SMS Messages

Top 12 Security Flaws Exploited by Russian Hackers to Target Organisations Globally

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.