October 30, 2023 at 12:42AM
A cyber attack campaign has been using MSIX Windows app package files to distribute a new malware loader named GHOSTPULSE. The attack targets popular software like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. Potential victims are enticed to download the packages through compromised websites, SEO poisoning, or malvertising. The malware is downloaded stealthily on the compromised host and proceeds through multiple stages to load GHOSTPULSE, which then executes other malware such as SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.
Summary:
A new cyber attack campaign has been identified that utilizes MSIX Windows app package files for popular software to distribute a malware loader called GHOSTPULSE. The campaign targets potential victims through compromised websites, SEO poisoning, or malvertising. When users click the install button on the MSIX file, GHOSTPULSE is downloaded onto the compromised host via a PowerShell script from a remote server. The process occurs in multiple stages, with the initial payload being a TAR archive file that contains an executable disguised as the Oracle VM VirtualBox service. This executable is actually a legitimate binary bundled with Notepad++. The TAR archive also includes a trojanized version of libcurl.dll, which exploits DLL side-loading to advance the infection process. The tampered DLL file extracts an encrypted payload from handoff.wav and executes it via mshtml.dll, resulting in the loading of GHOSTPULSE. GHOSTPULSE acts as a loader for other malware, including SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT. Please follow us on Twitter and LinkedIn for more exclusive content.