In a recent cybersecurity alert, researchers have identified a malicious campaign leveraging counterfeit MSIX Windows app package files to distribute a new malware loader referred to as GHOSTPULSE. This initiative seems to target users of prominent applications, including Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. The use of these familiar software platforms as bait underscores the sophistication behind this campaign, enticing victims into downloading these deceptive packages.
Joe Desimone, a researcher with Elastic Security Labs, noted in a technical report published last week that MSIX serves as a Windows app packaging format. Developers can utilize this system to streamline the installation and distribution of applications for Windows users. However, it also requires access to either purchased or stolen code-signing certificates, making it accessible solely to well-resourced threat actors.
The campaign appears to lure potential victims through various methods commonly associated with online scams, such as compromised websites, SEO poisoning, and malvertising. Once a target initiates the installation of the MSIX file, they encounter a prompt advising them to click the Install button. This seemingly benign action leads to the covert downloading of GHOSTPULSE from a remote server, facilitated by a PowerShell script.
This multi-stage infiltration begins with an initial payload concealed within a TAR archive. The archive contains an executable that masquerades as the legitimate Oracle VM VirtualBox service but is actually bundled with Notepad++. In addition to this, the archive includes a trojanized version of a DLL file and other components necessary for advancing the malware’s infection processes.
GHOSTPULSE employs a technique called DLL side-loading to execute additional malicious payloads undiscovered by traditional antivirus solutions. Desimone explains that the PowerShell script activates the initially disguised binary, effectively loading the malicious DLL file. This strategy minimizes the on-disk visibility of the encrypted malicious code, thereby allowing the adversaries to evade detection.
Subsequently, the tampered DLL interacts with an audio file, which contains an encrypted payload decoded through another Windows function. This convoluted method utilizes module stomping to ultimately deploy GHOSTPULSE. Once operational, GHOSTPULSE plays a crucial role as a loader, initiating further malicious exploitation through advanced techniques such as process doppelgänging.
The final delivery of malware includes variants such as SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT, leading to significant potential risks for businesses and individual users alike. Companies and organizations are urged to remain vigilant, employing robust cybersecurity measures to guard against such multifaceted threats.
This incident highlights critical adversary tactics in alignment with the MITRE ATT&CK Matrix, including initial access through social engineering, persistence via backdoored applications, and execution of payloads designed to exploit legitimate software processes. Business owners are reminded to continuously educate their teams on the dangers of downloading unverified software and to reinforce rigorous security practices to mitigate such risks.
