Described as the build platform for Microsoft and Visual Studio, MSBuild has a feature that allows developers to specify for code to be executed in memory, and adversaries have abused this in a new campaign for the fileless delivery of their malicious payloads.
The attacks, which were ongoing last week, likely started in April. As part of the campaign, the threat actors encoded executables and shellcode within malicious MSBuild files, and hosted them on a Russian image-hosting website, joxi[.]net.
Anomali’s researchers, who reveal that most of the analyzed MSBuild project files (.proj) used in these attacks were meant to deliver the Remcos RAT as the final payload, could not identify the manner in which these files were being distributed.