Hackers are constantly looking for new ways that their attacks can go unnoticed, both by users and by security programs. And one of the best ways to do this is to take advantage of legitimate tools and programs that are apparently harmless and therefore do not raise suspicions for antivirus. Thus, several groups of hackers have started to use a popular open source tool, Microsoft Build Engine , to create new threats and new viruses that are putting our security at risk.
Microsoft Build Engine, also known as MSBuild , is a Microsoft development tool for compiling your own programs, similar to how the “make” tool works on Linux. Thanks to this program, developers can compile their programs on any computer automatically thanks to an XML file, which must go along with the code, where you will find instructions on how to do it (compilation, packaging, tests, etc.).
As it is a Microsoft tool, and the company’s signature is used, it is normal for executables created with this program to go unnoticed. And in the end, hackers end up taking advantage of this.
A Trojan steals your data and passwords
A group of security researchers has found a new type of threat that is gaining worrying network activity. Various groups of hackers are starting to use the MSBuild tool to distribute threats and compile them directly on the victims’ computers. Specifically, what they do is load the malicious process directly into memory, avoiding detection by security programs.
Specifically, what compiles in the systems are three payloads. On the one hand we have two remote access Trojans (Remcos RAT and Quasar RAT), and on the other a module to steal data (RedLine Stealer). When these threats are installed in the system they begin to collect all kinds of information, from keystrokes to the credentials saved on the PC and possible cryptocurrencies. They can even take screenshots to send to the server.
These threats do not have an executable as such (they are “fileless” malware ), so antivirus cannot detect them. The file in question that reaches our computer is a .proj (project), and all VitusTotal antivirus mark it as undetectable.
How to protect ourselves from this fileless virus
Security researchers don’t know exactly how this new threat is reaching victims’ computers. It can be through mail, through fake download pages, and even through social engineering. Therefore, it is not known whether they are massive or targeted attacks. But what is clear is that you have to have the Microsoft build tool installed and that you have to run the project file for MSBuild to compile it. Therefore, there must be interaction with the user’s PC at some point.
As there is no such file considered the ” virus “, antivirus cannot do much against it. This is the problem of ” fileless ” viruses, which are becoming more and more popular thanks to the fact that they evade these layers of security. Therefore, it is increasingly important not to trust our security 100% to antivirus, but to have common sense. And check from time to time that the open processes are reliable using a tool like Process Explorer, which allows us to analyze all the processes in VirusTotal at once.