Attackers with ties to China pursue long-term access rather than smash-and-grab. They scan old but still exposed flaws Log4Shell, Apache Struts RCE, Confluence OGNL, and GoAhead until one host gives way. Then they live off the land. They schedule tasks, launch msbuild.exe to run hidden payloads, inject into csc.exe, and beacon with low-noise tradecraft. Because they favor persistence over spectacle, they quietly map domain controllers and stage credential theft while teams chase unrelated alerts.
𝗧𝗮𝗿𝗴𝗲𝘁 𝗮𝗻𝗱 𝗶𝗻𝗳𝗶𝗹𝘁𝗿𝗮𝘁𝗶𝗼𝗻 𝗳𝗹𝗼𝘄
Operators scanned a public-facing server in early April and probed multiple legacy vectors: CVE-2021-44228 (Log4j), CVE-2022-26134 (Confluence), CVE-2017-9805 (Struts), and CVE-2017-17562 (GoAhead). After days of quiet, they returned, tested outbound reach with curl, and shifted to discovery with netstat. Next, they planted a scheduled task that launched msbuild.exe on a timer. Because msbuild is trusted, EDR often ranks it low-risk unless analysts follow the process tree.
𝗟𝗜𝗡𝗘𝗔𝗚𝗘: 𝗺𝘀𝗯𝘂𝗶𝗹𝗱 → 𝗶𝗻𝗷𝗲𝗰𝘁 𝗶𝗻𝘁𝗼 𝗰𝘀𝗰.𝗲𝘅𝗲 → 𝗠𝗘𝗠 𝗟𝗢𝗔𝗗
The task chain executed msbuild.exe to run an opaque project. That project injected code into csc.exe, which then opened command-and-control over a single IP. The loader unpacked a memory-resident payload likely a RAT with minimal disk dust. Because the path uses signed binaries and short bursts of activity, basic signature-based detections rarely fire. Therefore, defenders should track process ancestry and child process behavior, not just filenames.
𝗦𝗶𝗱𝗲𝗹𝗼𝗮𝗱𝗶𝗻𝗴 𝗺𝗼𝘃𝗲𝘀
On selected hosts, the crew executed vetysafe.exe (a legitimate VIPRE component) to sideload a malicious sbamres.dll. Similar DLL names surfaced in operations attributed to Salt Typhoon / Earth Estries, Earth Longzhi (an APT41 sub-cluster), and Space Pirates. The overlap signals shared tooling rather than a single actor. Even so, the tradecraft stays consistent: exploit an older edge, translate that foothold into scheduled execution, and then persist with signed-binary abuse.
𝗪𝗶𝗻𝗱𝗼𝘄 𝘁𝗼 𝗗𝗖: 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝘁𝗵𝗲𝗳𝘁 𝗮𝗻𝗱 𝗗𝗖𝗦𝘆𝗻𝗰
During the dwell period, the operators probed paths toward domain controllers. Their tooling set included DCSync-style replication abuse and an Imjpuexc utility seen in prior campaigns. As a result, once they hold the right group privileges, they can replicate secrets and expand laterally without dropping noisy password-dump tools. Because DCSync traffic looks legitimate, you must alert when non-DC endpoints request replication data.
𝗟𝗲𝗴𝗮𝗰𝘆 𝗯𝘂𝗴𝘀, 𝗻𝗲𝘄 𝗰𝗵𝗮𝗻𝗻𝗲𝗹𝘀: 𝗙𝗿𝗼𝗺 𝗟𝗼𝗴𝟰𝗷 𝘁𝗼 𝗺𝗶𝘀𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗲𝗱 𝗜𝗜𝗦
Beyond classic CVEs, a Chinese-speaking cluster REF3927 now harvests publicly exposed ASP.NET machine keys to compromise misconfigured IIS servers. The crew deploys an SEO-cloaking backdoor “TOLLBOOTH” with web shell features. They can hide content from crawlers, run commands, and drop Godzilla shells or GotoHTTP remote access. Because this route requires no new 0-days just leaked machine keys and poor hygiene the campaign scales fast across hosting providers.
𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝘄𝗼𝗿𝗸𝘀 𝗮𝗴𝗮𝗶𝗻𝘀𝘁 𝗲𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲𝘀
Legacy CVEs linger on perimeter systems. Admins leave msbuild.exe and other LOLBAS unrestricted. Certificate trust and scheduled tasks look harmless in isolation. Meanwhile, SEO cloaking on IIS muddies external signals and buys time. Consequently, the attackers chain quiet steps into durable access while teams rotate through patch cycles that never reach the oldest boxes.
𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗵𝘂𝗻𝘁𝗶𝗻𝗴 (𝗽𝗿𝗼𝘀𝗲, 𝗻𝗼 𝗯𝘂𝗹𝗸𝘆 𝗹𝗶𝘀𝘁𝘀)
Track msbuild.exe launched by Task Scheduler and watch for csc.exe as a surprise child with network handles. Hunt for scheduled tasks that run hourly under SYSTEM. Correlate process lineage from network-facing services to the build chain. On the domain side, alert when non-DC hosts request replication privileges or call Directory Replication Service APIs. On the web tier, test IIS for reused machine keys and look for SEO-cloaking modules that alter content for crawlers. To validate an incident, replay the timeline from exploit → task creation → build invocation → code injection → beacon.
𝗠𝗶𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗵𝗮𝗿𝗱𝗲𝗻𝗶𝗻𝗴
Patch the edge first: Log4j, Struts, Confluence, and GoAhead instances exposed to the internet. Rotate any ASP.NET machine keys that may have leaked; regenerate and store them securely. Enforce application control so msbuild.exe cannot run arbitrary projects on servers. Lock down scheduled task creation to admins with logging and approval. On AD, restrict replication rights; alert on DCSync events from non-DCs. Finally, hunt for VIPRE sideloading artifacts and Godzilla/GotoHTTP traces on any IIS host that shows content cloaking.
𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗶𝗺𝗽𝗮𝗰𝘁 𝗮𝗻𝗱 𝗻𝗲𝘅𝘁 𝘀𝘁𝗲𝗽𝘀
Inventory any server that recently exposed the listed CVEs. Review build tools on servers; msbuild.exe rarely belongs on front-end web nodes. Pull a 60-day task history and diff new or modified jobs. Rebind machine keys where IIS hosts share them across tenants. After eviction, run a credential hygiene sprint to rotate high-value secrets and close the post-exploitation path back to DCs.
This campaign reuses old doors and hides in normal tools. Because the flow looks routine scheduled tasks, msbuild, compiler processes teams miss the pivot. Close the legacy CVEs, restrict build tools on servers, watch for DCSync from non-DCs, and test IIS for machine-key misuse. If you reduce trust in “it’s signed, it’s safe,” you cut this operation’s oxygen.
FAQs
Q: Why do attackers still win with Log4j and Struts today?
A: Many internet-facing systems never received complete fixes. Attackers combine wide scanning with selective follow-up, then trade noise for stealth once inside.
Q: How does IIS machine-key abuse lead to backdoors?
A: If an attacker learns or guesses an app’s machineKey, they can authenticate as the server and load modules like TOLLBOOTH without tripping standard checks.
Q: What’s the fastest control to block this chain?
A: Remove msbuild.exe from servers and deny its execution via application control. In parallel, rotate machine keys and enforce strict task-creation policies.
Q: How do we confirm DCSync misuse?
A: Alert when non-DC hosts initiate replication. Then review logs for DRS API calls tied to accounts with replication privileges and correlate with task or service creation.
Q: What should we monitor on IIS after cleanup?
A: Watch for SEO-cloaking behavior, unexpected module loads, Godzilla shell traces, and outbound connections from w3wp.exe to unfamiliar hosts.
One thought on “China-Aligned Abuse msbuild, DCSync After Legacy CVE Break-ins”