A new cyberattack campaign has been observed using fake MSIX Windows App Package files for popular software like Google Chrome, Microsoft Edge, Brave, grammarly, and Cisco Webex to distribute a new malware loader called GHOSTPULSE.
“MSIX is a Windows app package format that developers can use to package, distribute, and install their applications to Windows users,” Elastic Security Labs researcher Joe Desimone said in a technical report published last week.
“However, MSIX requires access to purchased or stolen code signing certificates, making them unviable for groups with above average resources.”
Based on the installers used as lures, it is suspected that potential targets are enticed to download MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malware.
Launching the MSIX file opens a Windows prompting the users to click the Install button, doing so which results in the stealthy download of GHOSTPULSE on the compromised host from a remote server (“manojsinghnegi[.]com”) via a PowerShell script.
This process take place over multiple stages, with the first payload being a TAR archive file containing an executable that masquerades as the Oracle VM VirtualBox service (VBoxSVC.exe) but in reality is a legitimate binary that’s bundled with Notepad++ (gup.exe).
The TAR archive also contains a trojanized version of Handoff.wav and libcurl.dll, which has been loaded to take the infection process to the next stage by taking advantage of the fact that the gup.exe is vulnerable to DLL side-loading.
“The Powershell binary executes VBoxSVC.exe which will load the malicious DLL libcurl.dll from the current directory,” Desimone said. “By reducing the on-disk footprint of the encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning.”
The tampered DLL file subsequently proceeds by parsing handoff.wav, which, in turn, packs an encrypted payload that’s decoded and executed via mshtml.dll, a method known as module stomping, to ultimately load GHOSTPULSE.
GHOSTPULSE acts as a loader, which uses another technique called process doppelganging to initiate the final malware execution, including SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RATs.