A newly discovered cybercriminal campaign leveraged compromised MSIX Windows application package files to propagate a new type of malware loader called GHOSTPULSE.
The threat actors endorse these fraudulent MSIX packages as popular software applications like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to lure users. MSIX is a format developers can employ to package, distribute, and install their applications on Windows systems. Still, it requires access to code signing certificates, making it an attractive option for well-resourced cybercriminals.
The attackers likely lure potential victims into downloading these MSIX packages via standard tactics such as compromised websites, search engine optimisation (SEO) poisoning, or malvertising.
The GHOSTPULSE malware loader could infect users once they access and install the deceptive MSIX file packages.
GHOSTPULSE could land on a targeted user if they install the fraudulent MSIX file by clicking the install button in the threat actors’ Windows prompt.
A Windows prompt appears when users open the MSIX file, urging them to click the Install button. This action secretly initiates the download of the malware from a remote server (“manojsinghnegi[.]com”) through a PowerShell script.
This process runs in multiple stages. The initial payload is a TAR archive file with an executable disguised as an Oracle VM VirtualBox service (VBoxSVC.exe). However, it is a legitimate binary bundled with Notepad++ (gup.exe). The TAR archive also includes handoff.wav and a modified version of libcurl.dll, which the attack process loads to advance the infection by exploiting the vulnerability of gup.exe to DLL sideloading.
The researchers explained that PowerShell starts the binary VBoxSVC.exe that will sideload from the current directory of the malicious DLL libcurl.dll. Hackers can bypass file-based AV and ML scanning by minimising the on-disk footprint of encrypted malicious code.
The tampered DLL file continues the attack process by deconstructing handoff.wav, which contains an encrypted payload decoded and executed through mshtml.dll, a method known as module stomping. This part of the attack eventually leads to the execution of GHOSTPULSE.
GHOSTPULSE serves as a loader and employs another technique called process doppelganging to load the final malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.
Users should refrain from downloading MSIX Windows applications from third-party and untrusted providers since the threat actors leverage these apps to spread a malware loader.
