Renato Marinho, a Morphus Labs security researcher and SANS Internet Storm Center (ISC) handler, reported that he had discovered two separate malicious campaigns that used Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines.

MSBuild is a free and open-source build toolset for both managed code and native C++ code that was included with the.NET Framework. It’s used for app development and provides users with an XML schema that governs how the build platform processes and builds software to deliver malware through callbacks.

The malicious MSBuild project used in the attacks was created to compile and execute specific C# code, which then decodes and executes the Cobalt Strike payload.

According to the attack scenario described by the researcher , The attackers used a valid remote desktop protocol (RDP) account to gain access to the target environment, then used remote Windows Services (SCM) for lateral movement and MSBuild to execute the Cobalt Strike Beacon payload.

Researchers reported that “A man-in-the-middle attack is one method for decrypting SSL traffic.” I used the project mitmproxy to accomplish this. When using a tool like this, the communication schema is to have the client, the Cobalt Strike beacon, talk to the SSL proxy, and the SSL proxy talk to the C2 server. The traffic will be unencrypted in the middle (proxy).”

The analyst decoded the variable ‘buff’ that will store the decrypted malicious content in order to analyse the code executed by the malicious MSBuild project. To decrypt and analyse the code, the researcher used Python and the same decryption function.

Finally the researchers concluded that ,”MSBuild compiles a list of Microsoft-signed applications that can execute other code. These applications should be blocked by the Windows Defender Application Control (WDAC) policy. However, there is a caveat for MSBuild.exe. If the system is used in a development context to build managed applications, it is recommended that msbuild.exe be allowed in the code integrity policies.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s