News

A recent cybersecurity investigation has uncovered a new cyber attack campaign that is using fake MSIX Windows app package files to distribute a harmful malware loader called GHOSTPULSE. MSIX is a format used by developers to package and distribute their applications to Windows users. However, due to the requirement of code signing certificates, this format is often targeted by cybercriminals with ample resources.

The attack begins with enticing potential targets to download the MSIX packages through various methods such as compromised websites, search engine optimization (SEO) poisoning, or malvertising. Once the MSIX file is launched, it prompts the user to install the application, and in doing so, a stealthy download of the GHOSTPULSE malware occurs from a remote server.

This attack occurs in multiple stages. The first payload is a TAR archive file that appears as the Oracle VM VirtualBox service. However, it is actually a legitimate binary bundled with Notepad++. This payload also contains a trojanized version of libcurl.dll, which takes the infection process to the next stage by exploiting a vulnerability in gup.exe.

The PowerShell script executes the binary VBoxSVC.exe, which then side loads the malicious DLL libcurl.dll from the current directory. By encrypting the malicious code and minimizing its on-disk footprint, the threat actor is able to evade file-based antivirus (AV) and machine learning (ML) scanning. The tampered DLL file then proceeds to parse handoff.wav, which contains an encrypted payload that is decoded and executed via mshtml.dll. This technique, known as module stomping, ultimately leads to the loading of GHOSTPULSE.

GHOSTPULSE serves as a loader for other malware, including SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT. These malware variants are capable of various malicious activities, such as remote access and data theft.

It is important for users to remain vigilant and avoid downloading applications from suspicious sources. Implementing strong endpoint security measures and keeping software up to date can help protect against such attacks.

Sources:
– Elastic Security Labs research report

The post New Cyber Attack Campaign Uses MSIX Windows App Package Files to Distribute GHOSTPULSE Malware appeared first on Fagen Wasanni Technologies.