Elastic Security Labs Recorded New Wave of Attacks
Elastic Security Labs has recently reported a new wave of attacks, in which attackers are utilizing fake MSIX application packages to distribute a malicious bootloader named Ghostpulse. The files are disguised as popular software products such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. The malicious activities behind these attacks point to the involvement of a well-resourced criminal group.
What is MSIX?
MSIX is the format used for Windows applications, allowing developers to package and distribute their apps to Windows users. It has been noted that the creation of MSIX packages requires access to purchased or stolen code signing certificates, highlighting the significant resources possessed by the criminal group responsible for these attacks.
Infection Process
The victims are assumed to be exposed to the harmful packages through infected websites, manipulations with search engine results, or malicious advertisements. When the malicious MSIX file is launched, users see a window prompting them to install the program. However, clicking “Install” initiates the hidden Ghostpulse load from a remote server using a PowerShell script crafted by the attackers.
The infection process occurs in multiple stages. Initially, a TAR archive is loaded, which is disguised as the Oracle VM VirtualBox service but is actually a legitimate program, NOTEPAD++. The archive also contains the encrypted file “Handoff.wav” and a modified version of “Libcurl.dll”. These components are used to progress to the next stage of infection by employing the DLL Sideloading method.
The substituted DLL file is processed by analyzing “Handoff.wav”, which contains the encrypted malicious code. This code is decrypted and executed using “mshtml.dll” through a technique known as “Module Stomping”. The culmination of these actions ultimately triggers the activation of Ghostpulse.
Ghostpulse as a Bootloader
Ghostpulse acts as a bootloader employing a technique called “process hollowing”. This method allows attackers to create hidden copies of processes in RAM and utilize them to introduce harmful code. By altering various parameters of the process in memory, such as file descriptors and exceptions