Cybersecurity researchers have observed hackers exploiting MSIX Windows app package files to spread malware.
MSIX is a relatively new, unified packaging format that developers can use to create secure and high-performing applications across platforms.
According to experts from Elastic security labs, someone has been spreading MSIX files masquerading as popular software platforms such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. The distribution channels have not yet been confirmed, but researchers believe it involves the usual mix of compromised websites, SEO poisoning, malvertising, social media and phishing.
Unknown motives
As a loader, the malware itself has one job, and that is to remove one of the following final payloads: SectopRAT, Rhadamanthys, Vidar, Lumma, or NetSupport RAT. While these have different characteristics, the common denominators are remote access, the ability to execute arbitrary code, and data exfiltration.
Users who fall for the scam and run the file will see a prompt with an install button. Pressing the button will drop the GHOSTPULSE malware loader onto their endpoint.
“MSIX requires access to purchased or stolen certificates for code signing, making them viable for groups of above-average resources,” explains Elastic Security Labs researcher Joe Desimone.
Elastic Defend, the company’s endpoint security solution, detects this threat with the following behavioral protection rules:
DNS query for suspected top-level domain
Loading library from a file written by a signed binary proxy
Suspicious API call from an unsigned DLL
Suspicious memory Write to an external process
Process creation from modified NTDLL
The YARA rule “Windows.Trojan.GhostPulse” will also detect GHOSTPULSE loaders on disk.
There is no information on how many companies have been compromised with GHOSTPULSE, or who the threat actor behind the campaign is. We also don’t know what their endgame is, but given the type of malware being distributed in the final stages, it’s safe to assume this is a financially motivated group, or an Initial Access Broker (IAB).
An IAB will typically compromise a network and then sell the access it gains to other threat actors, such as ransomware groups.