Analysts at Anomali’s Threat Research team found that the infected MSBuild project files contain encoded shellcode and executables used to deliver malicious payloads into a target computer memory. Hackers use the MSBuild development tool to avoid detection while loading the payloads.
“While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer,” said Tara Gould and Gage Mele, intelligence analysts at Anomali.
“The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations. This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially,” according to Anomali.