A new cyberattack campaign has been found to be using MSIX — a Windows application packaging format — to infect Windows PCs and evade detection by dropping a stealthy malware loader into its victim’s PC.
Developers commonly use MSIX to package, distribute, and install their applications to Windows users, and is now being used for initial infection to deliver the malware loader, dubbed Ghostpulse, researchers at Elastic Security Labs have discovered.
“In a common attack scenario, we suspect the users are directed to download malicious MSIX packages through compromised websites, search engine optimization (SEO) techniques, or malvertising,” the researchers said in a blog post. “The masquerading themes we’ve observed include installers for Chrome, Brave, Edge, Grammarly, and WebEx to highlight a few.”
MSIX packages can be installed through the Windows App Installer with just a “double click,” without having to elaborately use a deployment and configuration tool like PowerShell. However, the malicious MSIX does have to have a purchased or signed certificate to be a viable offensive, researchers added.
Initial infection through DLL sideloading
The infection is carried out in multiple stages starting with a poser executable, according to the researchers. Launching the MSIX file opens a window prompting an install action, which ultimately results in a stealthy download of Ghostpulse.
At the first stage, the installer downloads a tape archive (TAR) file payload, which is an executable masquerading as the Oracle VM VirtualBox service (VBoxSVC.exe) but in reality, is a legitimate binary that’s bundled with Notepad++ (gup.exe), which is vulnerable to sideloading, according to the researchers.
“The PowerShell executes the binary VBoxSVC.exe that will side load from the current directory the malicious DLL libcurl.dll,” the researchers added. “By minimizing the on-disk footprint of encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning.”
Ghospulse used as a loader
Ghostpulse employs Process Doppelganging and acts as a loader, leveraging the NTFS transactions feature to inject the final payload into a new child process, according to the blog.
The final malware includes various infostealers, such as SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.
“The objective of Ghostpulse’s Stage 3 (final step) is to load and execute the final payload in another process,” researchers added. “One interesting part of Stage 3 was that it overwrites its previously executed instructions with new instructions to make analysis difficult.”
The researchers noted that the Ghostpulse loader is also capable of establishing persistence.