Cybercriminals Exploit MSBuild to Execute Stealthy Fileless Attacks
In recent developments, cybercriminals have increasingly exploited Microsoft’s MSBuild.exe, a legitimate build tool, to execute fileless attacks that evade traditional security measures. This technique leverages MSBuild’s trusted status to run malicious code directly in memory, leaving minimal forensic evidence and bypassing conventional detection systems.
Understanding MSBuild and Its Exploitation
MSBuild.exe is a Microsoft-signed utility designed for compiling and building applications using XML-based project files. Its legitimate purpose and digital signature make it inherently trusted by Windows operating systems and many security solutions. However, attackers have found a way to misuse this trust by embedding malicious C# code within project files, which MSBuild can execute in memory without writing to disk. This fileless execution method is particularly insidious because it leaves little to no trace on the file system, making detection and forensic analysis challenging.
Real-World Attack Scenarios
Analysts from ASEC have documented two notable instances where MSBuild was abused as a Living Off the Land Binary (LOLBin):
1. January 2025 Incident: Attackers utilized MSBuild to establish a TCP reverse shell connection. Remarkably, this activity did not trigger any alerts from Windows Defender, even with real-time monitoring enabled.
2. February 2026 Campaign: A more sophisticated attack involved using MSBuild as a downloader to retrieve malicious files from an external command-and-control (C2) server. This method was combined with a DLL sideloading technique to execute the payload.
The Appeal of MSBuild for Attackers
Several factors contribute to MSBuild’s attractiveness as a tool for malicious activities:
– Inline Code Execution: MSBuild allows for the execution of C# code directly within project files, eliminating the need for separate malicious executables.
– Comprehensive Functionality: It supports file loading, network communication, and binary execution, providing attackers with a versatile platform for various malicious operations.
– Trusted Digital Signature: Being digitally signed by Microsoft, MSBuild can bypass code signature verification checks employed by many endpoint security tools.
Impact on Security Measures
The exploitation of MSBuild poses significant challenges for organizations:
– Evasion of Traditional Antivirus Solutions: Fileless attacks executed through MSBuild are not easily detected by signature-based antivirus programs.
– Minimal Forensic Evidence: Since the malicious code runs in memory and does not write to disk, it leaves little evidence for forensic analysis.
– Difficulty in Differentiating Malicious from Legitimate Activity: The use of a trusted system binary complicates the identification of malicious actions amidst normal developer operations.
Detailed Attack Methodology
The February 2026 attack campaign provides insight into the operational tactics employed:
1. Initial Access via Phishing: The attack begins with a phishing email containing a compressed file attachment disguised as a meeting invitation or work-related document.
2. Execution of MSBuild: Within the archive, the victim finds what appears to be a document file, which is actually a renamed copy of MSBuild.exe. This file retains its original Microsoft signature, reducing suspicion.
3. Automatic Project File Loading: Upon opening, MSBuild automatically scans the directory for a project file (.csproj) and loads it without user intervention.
4. Malicious Code Execution: The loaded project file contains an inline C# script with Base64-encoded URLs pointing to an external C2 server. The script decodes these URLs and downloads additional malicious files, including an executable, a DLL named Avk.dll, and a data file called AVKTray.dat, all stored in the system’s temporary folder.
5. Payload Execution: MSBuild then executes the downloaded executable, which, despite having a valid digital signature, loads the malicious Avk.dll from the same directory.
Mitigation Strategies
To defend against such sophisticated attacks, organizations should consider the following measures:
– Behavioral Analysis: Implement security solutions that focus on detecting anomalous behavior rather than relying solely on signature-based detection.
– Application Whitelisting: Restrict the execution of MSBuild and other scripting tools to authorized users and processes.
– User Education: Conduct regular training sessions to help employees recognize phishing attempts and the risks associated with opening unsolicited attachments.
– Regular System Audits: Perform frequent audits to identify and address potential vulnerabilities within the system.
Conclusion
The misuse of MSBuild for fileless attacks underscores the evolving tactics of cybercriminals who exploit trusted system tools to bypass security defenses. Organizations must adopt a proactive and layered security approach, combining advanced detection techniques, strict access controls, and comprehensive user education to effectively mitigate these threats.
