Cybersecurity experts have recently observed a concerning trend in the world of malware distribution. Hackers are exploiting MSIX Windows app package files to disseminate malicious software.
MSIX, a relatively new and unified packaging format, has gained favor among developers for its ability to create secure and high-performing applications that work seamlessly across various platforms.
Elastic Security Labs, a prominent name in the cybersecurity field, has reported instances of malicious actors distributing MSIX files by disguising them as well-known software platforms. These impersonated software includes familiar names like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. While the exact channels for this distribution have not been confirmed, researchers suspect a blend of compromised websites, SEO poisoning, malvertising, social media, and phishing tactics.
The malware delivered through these MSIX files serves as a loader, with a single primary purpose: to deliver one of several final payloads. These payloads include SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT. Each of these payloads may have distinct features, but they share common functionalities such as enabling remote access, executing arbitrary code, and facilitating data exfiltration.
For unsuspecting users who fall victim to this scam and execute the file, a prompt appears with an “Install” button. Unfortunately, clicking this button results in the installation of the GHOSTPULSE malware loader on their endpoint.
Explaining the method behind the madness, Elastic Security Labs researcher Joe Desimone noted that MSIX files require access to purchased or stolen code signing certificates, making them attractive to groups with above-average resources.
Elastic Defend, the endpoint security solution offered by the company, has deployed behavior protection rules to detect this threat, including DNS queries to suspicious top-level domains, library loads of files written by signed binary proxies, suspicious API calls from unsigned DLLs, suspicious memory writes to remote processes, and process creation from modified NTDLL.
In addition to these protective measures, a YARA rule labeled “Windows.Trojan.GhostPulse” can identify GHOSTPULSE loaders on disk.
As of now, there is no information available regarding the extent of companies compromised by GHOSTPULSE, the identity of the threat actor behind this campaign, or their ultimate goal. However, based on the nature of the malware distributed in the final stage, it is reasonable to speculate that this may be the work of either a financially motivated group or an Initial Access Broker (IAB).
Initial Access Brokers typically breach a network and subsequently sell the access they have gained to other threat actors, often including ransomware groups. The cybersecurity community continues to monitor this evolving threat landscape closely.
