The Anomali Threat Research team has recently identified a campaign in which hackers are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools (RATs) and password-stealing malware known as RedLine Stealer.

MSBuild (msbuild.exe) is a Microsoft platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software.

According to Proofpoint’s Threat Insight Team, the RedLine Stealer exfiltrates data from browsers such as login, autocomplete, passwords, and credit cards. It also collects information about the user and their system such as the username, their location, hardware configuration, and installed security software. The last year’s update to RedLine Stealer also added the ability to steal cryptocurrency cold wallets.

Anomali Threat Research discovered a campaign in which threat actors used MSBuild – a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks. The malicious MSBuild files we observed in this campaign contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, “joxi[.]net.”


As the Anomali researchers noted, the malicious MSBuild project files delivered in this campaign bundled encoded executables and shellcode the threat actors used for injecting the final payloads into the memory of newly spawned processes.

While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples we analyzed deliver Remcos as the final payload.


The threat actors began infiltrating Remcos RAT, Quasar RAT, and RedLine Stealer payloads onto their victims’ computers last month. Once they are installed, they can be used to collect keystrokes, credentials, and screen snapshots, disable anti-malware software, and fully take over the devices remotely. To make matters worse, the malware will also scan for web browsers, messaging apps, and VPN, and cryptocurrency software to steal user credentials.

msbuild -Infection-chain heimdal security

Infection chain

Image Source: Anomali

A fileless attack is a “technique used by threat actors to compromise a machine while limiting the chances of being detected”, the researchers note.

With the MSBuild development tool, threat actors are able to avoid detection while injecting their malicious payloads directly into a targeted computer’s memory.

MSBuild -VirusTotal heimdal security

Image Source: Anomali

Fileless malware typically uses a legitimate application to load the malware into memory, therefore leaving no traces of infection on the machine and making it difficult to detect. An analysis by network security vendor WatchGuard released in 2021 showed an 888% increase in fileless attacks from 2019 to 2020, illustrating the massive growth in the use of this attack technique, which is likely related to threat actor confidence that such attacks will be successful.


The researchers concluded that this campaign pointed out that reliance on antivirus software alone is not enough for cyber defense. Using legitimate code to hide malware from antivirus technology is effective and growing exponentially.

The impact of cyberattacks is devastating and they usually happen due to bad IT hygiene and a minimum of security measures taken. The Anomali Threat Research team recommends focusing on cybersecurity training and hygiene, as well as a defense-in-depth strategy.

Antivirus vs Antimalware: Which One Should You Choose?

Microsoft: Threat Actors Use Contact Forms on Websites to Deliver IcedID Malware

What is a Remote Access Trojan (RAT)?

Leave a Reply

Your email address will not be published. Required fields are marked *