Cybersecurity researchers have recently uncovered a concerning trend in the world of cyber attacks, where hackers are exploiting the Microsoft Build Engine to deliver malware stealthily. The Build Engine, which is designed to execute code and build applications, provides a unique opportunity for hackers to send harmful payloads using legitimate software development tools.
The trusted nature of the Build Engine inside corporate environments also makes it a prime target for cyber attacks. Hackers have found ways to bypass specific security controls, making it easier for them to carry out their malicious activities undetected.
One such group of hackers, known as Turla, has been actively leveraging the Microsoft Build Engine in a recent campaign. The hackers employed a clever tactic by disguising malicious .LNK files as PDF documents. These files contained lure documents related to human rights and public advisories to trick unsuspecting targets.
Upon opening the malicious .LNK file, a backdoor with remote control capabilities is installed on the victim’s machine. This backdoor is controlled by a Command and Control server, allowing the hackers to remotely execute commands on the compromised system.
The attack is initiated through a malicious .LNK file that is likely distributed via phishing. When executed, the .LNK runs a PowerShell script that drops a lure PDF, encrypted data, and an MSBuild project to %temp%. The lure PDF is opened to distract the user while the MSBuild project silently executes in the background.
The MSBuild project decrypts the embedded data into a .log file, which then runs another MSBuild project scheduled to execute every 20 minutes. This project creates two threads – one to hide the MSBuild process and the other to fetch commands from a compromised C&C server using a unique machine ID.
The commands received enable the backdoor functionality, allowing the hackers to execute shell commands, upload/download files, change directories, and run PowerShell scripts on the victim’s machine. This campaign has been attributed to the Turla APT group with medium confidence based on indicators such as Russian language comments, targeting of NGOs, and the use of compromised websites for C&C infrastructure.
To protect against such attacks, cybersecurity experts recommend deploying strong email filtering to block malicious attachments, exercising caution with emails and attachments from unknown senders, restricting access to MSBuild for authorized personnel only, disabling or limiting PowerShell execution if not required, and implementing network monitoring to detect and block suspicious activities.
In conclusion, the exploitation of the Microsoft Build Engine by hackers highlights the evolving nature of cyber threats and the importance of implementing robust security measures to protect against such malicious activities. By staying vigilant and following best practices, organizations can mitigate the risk of falling victim to cyber attacks like the one orchestrated by the Turla hackers.