Hackers Utilize MSIX App Packages for Windows PC Infection with GHOSTPULSE Malware

    Researchers have uncovered a fresh cyber attack campaign. This campaign cleverly uses fake MSIX Windows app package files of popular software like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. The primary aim? To spread a new malware loader known as GHOSTPULSE.

    What is MSIX?

    Joe Desimone, a researcher from Elastic Security Labs, shed light on MSIX in a recent technical report. He described MSIX as a Windows app package format, aiding developers in packaging, distributing, and installing apps on Windows systems. But there’s a catch. MSIX needs access to either bought or stolen code signing certificates. This requirement makes it a prime choice for well-funded groups.

    Deceptive Tactics and Lures

    How do potential victims encounter these dangerous MSIX packages? It seems the attackers have employed various methods. They might compromise websites, use SEO poisoning, or even resort to malvertising to lure their victims.

    The Infection Process

    Upon opening the MSIX file, a Windows dialogue box pops up, urging users to hit the Install button. Doing so kickstarts a sly GHOSTPULSE download from a remote server (“manojsinghnegi[.]com”) using a PowerShell script.

    This download isn’t straightforward. Initially, a TAR archive file appears, holding an executable. While it masquerades as the Oracle VM VirtualBox service (VBoxSVC.exe), it’s actually a genuine binary that comes with Notepad++ (gup.exe). This archive carries more than just the executable; it also contains handoff.wav and a malicious version of libcurl.dll. This DLL advances the infection by exploiting gup.exe’s vulnerability to DLL side-loading.

    DLL Manipulation and Its Impact

    Desimone explains the next steps. The PowerShell script runs the binary VBoxSVC.exe, which then sideloads the corrupt DLL libcurl.dll. By keeping encrypted malicious code to a minimum on the disk, attackers can dodge antivirus and machine learning scans.

    Next, the DLL goes on to interpret handoff.wav. This file holds an encrypted payload. Once decoded, it runs through mshtml.dll using a technique named module stomping. This action paves the way for GHOSTPULSE’s loading.

    GHOSTPULSE in Action

    Once active, GHOSTPULSE functions as a loader. It taps into a method called process doppelgänging to trigger the final malware. This final payload comprises SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.

    Latest articles

    Related articles