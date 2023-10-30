A new cyberattack campaign has been found to be using MSIX \u2014 a Windows application packaging format \u2014 to infect Windows PCs and evade detection by dropping a stealthy malware loader into its victim\u2019s PC.\n\nDevelopers commonly use MSIX to package, distribute, and install their applications to Windows users, and is now being used for initial infection to deliver the malware loader, dubbed Ghostpulse, researchers at Elastic Security Labs have discovered.\n\n\u201cIn a common attack scenario, we suspect the users are directed to download malicious MSIX packages through compromised websites, search engine optimization (SEO) techniques, or malvertising,\u201d the researchers said in a blog post. \u201cThe masquerading themes we\u2019ve observed include installers for Chrome, Brave, Edge, Grammarly, and WebEx to highlight a few.\u201d\n\nMSIX packages can be installed through the Windows App Installer with just a \u201cdouble click,\u201d without having to elaborately use a deployment and configuration tool like PowerShell. However, the malicious MSIX does have to have a purchased or signed certificate to be a viable offensive, researchers added.\n\nInitial infection through DLL sideloading\n\nThe infection is carried out in multiple stages starting with a poser executable, according to the researchers. Launching the MSIX file opens a window prompting an install action, which ultimately results in a stealthy download of Ghostpulse.\n\nAt the first stage, the installer downloads a tape archive (TAR) file payload, which is an executable masquerading as the Oracle VM VirtualBox service (VBoxSVC.exe) but in reality, is a legitimate binary that\u2019s bundled with Notepad++ (gup.exe), which is vulnerable to sideloading, according to the researchers.\n\n\u201cThe PowerShell executes the binary VBoxSVC.exe that will side load from the current directory the malicious DLL libcurl.dll,\u201d the researchers added. \u201cBy minimizing the on-disk footprint of encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning.\u201d\n\nGhospulse used as a loader\n\nGhostpulse employs Process Doppelg\u00e4nging and acts as a loader, leveraging the NTFS transactions feature to inject the final payload into a new child process, according to the blog.\n\nThe final malware includes various infostealers, such as SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.\n\n\u201cThe objective of Ghostpulse\u2019s Stage 3 (final step) is to load and execute the final payload in another process,\u201d researchers added. \u201cOne interesting part of Stage 3 was that it overwrites its previously executed instructions with new instructions to make analysis difficult.\u201d \n\nThe researchers noted that the Ghostpulse loader is also capable of establishing persistence.