A new cyberattack campaign has been found to be using MSIX — a Windows application packaging format — to infect Windows PCs and evade detection by dropping a stealthy malware loader into its victim’s PC.
Developers commonly use MSIX to package, distribute, and install their applications to Windows users, and is now being used for initial infection to deliver the malware loader, dubbed Ghostpulse, researchers at Elastic Security Labs have discovered.
“In a common attack scenario, we suspect the users are directed to download malicious MSIX packages through compromised websites, search engine optimization (SEO) techniques, or malvertising,” the researchers said in a blog post. “The masquerading themes we’ve observed include installers for Chrome, Brave, Edge, Grammarly, and WebEx to highlight a few.”
MSIX packages can be installed through the Windows App Installer with just a “double click,” without having to elaborately use a deployment and configuration tool like PowerShell. However, the malicious MSIX does have to have a purchased or signed certificate to be a viable offensive, researchers added.
Initial infection through DLL sideloading
The infection is carried out in multiple stages starting with a poser executable, according to the researchers. Launching the MSIX file opens a window prompting an install action, which ultimately results in a stealthy download of Ghostpulse.
At the first stage, the installer downloads a tape archive (TAR) file payload, which is an executable masquerading as the Oracle VM VirtualBox service (VBoxSVC.exe) but in reality, is a legitimate binary that’s bundled with Notepad++ (gup.exe), which is vulnerable to sideloading, according to the researchers.