A brand new cyber assault marketing campaign has been noticed utilizing spurious MSIX Home windows app bundle recordsdata for fashionable software program equivalent to Google Chrome, Microsoft Edge, Courageous, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE.
“MSIX is a Home windows app bundle format that builders can leverage to bundle, distribute, and set up their purposes to Home windows customers,” Elastic Safety Labs researcher Joe Desimone stated in a technical report revealed final week.
“Nevertheless, MSIX requires entry to bought or stolen code signing certificates making them viable to teams of above-average sources.”
Based mostly on the installers used as lures, it is suspected that potential targets are enticed into downloading the MSIX packages by way of identified methods equivalent to compromised web sites, search engine marketing (web optimization) poisoning, or malvertising.
Launching the MSIX file opens a Home windows prompting the customers to click on the Set up button, doing so which leads to the stealthy obtain of GHOSTPULSE on the compromised host from a distant server (“manojsinghnegi[.]com”) by way of a PowerShell script.
This course of happen over a number of phases, with the primary payload being a TAR archive file containing an executable that masquerades because the Oracle VM VirtualBox service (VBoxSVC.exe) however in actuality is a respectable binary that is bundled with Notepad++ (gup.exe).
Additionally current inside the TAR archive is handoff.wav and a trojanized model of libcurl.dll that is loaded to take the an infection course of to the subsequent stage by exploiting the truth that gup.exe is weak to DLL side-loading.
“The PowerShell executes the binary VBoxSVC.exe that can aspect load from the present listing the malicious DLL libcurl.dll,” Desimone stated. “By minimizing the on-disk footprint of encrypted malicious code, the menace actor is ready to evade file-based AV and ML scanning.”
The tampered DLL file subsequently proceeds by parsing handoff.wav, which, in flip, packs an encrypted payload that is decoded and executed by way of mshtml.dll, a way often called module stomping, to finally load GHOSTPULSE.
GHOSTPULSE acts as a loader, using one other approach often called course of doppelgänging to kick begin the execution of the ultimate malware, which incorporates SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.