GHOSTPULSE Malware Spread Through Fake MSIX Applications
A recent cyber attack campaign has been detected, utilizing fake MSIX Windows application package files for well-known software like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex as a means to disseminate a new malware loader named GHOSTPULSE.
MSIX is a format for Windows application packages that developers can use to bundle, distribute, and install their applications on Windows systems, as explained by Elastic Security Labs researcher Joe Desimone in a recent technical report. Nevertheless, it's worth noting that MSIX relies on access to legitimate or stolen code signing certificates, making it an attractive target for groups with significant resources.
Based on the deceptive software installers used as bait, it is suspected that potential victims are tricked into downloading these MSIX packages through various methods, including compromised websites, search engine optimization (SEO) manipulation, or malicious advertising.
Infection Method
Upon launching the MSIX file, a Windows dialog prompts users to click the "Install" button. Doing so triggers the clandestine downloading of GHOSTPULSE onto the compromised system from a remote server located at "manojsinghnegi[.]com" via a PowerShell script.
This process unfolds in multiple stages, with the initial payload being a TAR archive file that contains an executable. This executable pretends to be the Oracle VM VirtualBox service (VBoxSVC.exe), but it is, in fact, a legitimate binary bundled with Notepad++ (gup.exe).
Inside the TAR archive, there's also a file called handoff.wav and a tampered version of libcurl.dll. This DLL file is loaded to advance the infection process to the next stage by exploiting the vulnerability of gup.exe to DLL side-loading.
The manipulated DLL file subsequently proceeds by examining handoff.wav, which, in turn, conceals an encrypted payload that is decoded and executed through mshtml.dll, a technique known as module stomping. This action leads to the ultimate loading of GHOSTPULSE.
GHOSTPULSE serves as a loader and employs another method known as process doppelgänging to initiate the execution of the final malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.