MSBuild Abused for Execution of Cobalt Strike Beacon

83
MSBuild Abused for Execution of Cobalt Strike Beacon

Malicious campaigns were detected using Microsoft Build Engine (MSBuild), a set of open source building tools for native C ++ managed code, and part of the .NET Framework.

A researcher from Morphus Labs found finding two different malicious campaigns targeted at MSBuild to drive the Cobalt Strike payload on targeted systems. Attackers first gain access to the target area via an RDP account, then use Windows Services remotely to move sideways, and then use MSBuild to run payments for the Cobalt Strike Beacon.

Beacon is used to remove SSL encrypted encryption with a C2 server. In order to test code run by MSBuild project, researchers removed buffer encryption that stores malicious content encrypted and the same encryption function for coding.

Read More: Cyware

For more such updates follow us on Google News ITsecuritywire News