MSIX App Packages

A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE.

"MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users," Elastic Security Labs researcher Joe Desimone said in a technical report published last week.

"However, MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources."

Cybersecurity

Based on the installers used as lures, it's suspected that potential targets are enticed into downloading the MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malvertising.

Launching the MSIX file opens a Windows prompting the users to click the Install button, doing so which results in the stealthy download of GHOSTPULSE on the compromised host from a remote server ("manojsinghnegi[.]com") via a PowerShell script.

This process take place over multiple stages, with the first payload being a TAR archive file containing an executable that masquerades as the Oracle VM VirtualBox service (VBoxSVC.exe) but in reality is a legitimate binary that's bundled with Notepad++ (gup.exe).

Also present within the TAR archive is handoff.wav and a trojanized version of libcurl.dll that's loaded to take the infection process to the next stage by exploiting the fact that gup.exe is vulnerable to DLL side-loading.

Cybersecurity

"The PowerShell executes the binary VBoxSVC.exe that will side load from the current directory the malicious DLL libcurl.dll," Desimone said. "By minimizing the on-disk footprint of encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning."

The tampered DLL file subsequently proceeds by parsing handoff.wav, which, in turn, packs an encrypted payload that's decoded and executed via mshtml.dll, a method known as module stomping, to ultimately load GHOSTPULSE.

GHOSTPULSE acts as a loader, employing another technique known as process doppelgänging to kick start the execution of the final malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.