Thanks to the work of Elastic Security Labs it was possible to identify a new campaign of cyber attacks which is causing considerable concern among users and professionals.
This exploits fake packets app MSIX Windowsaffecting popular software on such platforms such as browsers Google Chrome, Microsoft Edge e Braveas well as other applications such as Grammarly e Cisco Webex. Everything is managed by cybercriminals to spread a new loader malware, which has been assigned the name of GHOSTPULSE.
According to the researcher Joe Desimone “MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications for users on this OS“.
By analyzing installers used as bait, experts believe that malicious MSIX packages are spread through hacked websites, SEO poisoning e malvertising.
GHOSTPULSE alert: a danger for the main browsers in circulation (and not only)
Launching the MSIX file opens a Windows window prompting users to click the button Installwhich results in the disguised download of GHOSTPULSE to the compromised host from a remote server via a script PowerShell.
This process takes place in several stages, with the first payload which is an archive file TAR containing an executable disguised as a service Oracle VM VirtualBox (VBoxSVC.exe) but it is actually a legitimate binary file that comes bundled with Notepad++ (that is to say gup.exe).
They are also present within the TAR archive handoff.wav and a version with trojan Of libcurl.dll which is loaded to take the infection process to the next stage by exploiting the fact that gup.exe is vulnerable to sideloading DLL.
Desimone explains how “PowerShell runs the VBoxSVC.exe binary which will load the malicious DLL libcurl.dl from the current directory“, then adding how with this modus operandi the chances of identifying the malware in action are reduced to a minimum.
The tampered DLL file then proceeds to parse handoff.wav, which, in turn, encloses an encrypted payload that is decoded and executed via mshtml.dllfollowed by the actual infection through GHOSTPULSE.
The loader in question employs a technique known as doppelgänging to initiate the final execution of the malicious software, potentially infecting various agents such as SectopRAT, Rhadamanthys, Further, Lumma e NetSupport RAT.