GHOSTPULSE Malware

A stealthy cyberattack campaign has been detected, involving the use of fake MSIX Windows application package files for well-known software like Google Chrome, Microsoft Edge, Brave, Grammarly and Cisco Webex. These unsafe files are being used to disseminate a new type of malware loader called GHOSTPULSE.

MSIX is a Windows application package format that developers can employ to package, distribute, and install their software on Windows systems. However, it's important to note that creating and using MSIX files necessitates access to legitimately obtained or illicitly acquired code signing certificates, making this method particularly appealing to well-funded and resourceful hacker groups.

Attackers Use Various Lure Tactics to Deliver the GHOSTPULSE Malware

Based on the bait installers used in this scheme, it is suspected that potential victims are misled to download the MSIX packages using well-known techniques, including compromised websites, Search Engine Optimization (SEO) poisoning, or fraudulent advertising (malvertising).

When the MSIX file is executed, a Windows prompt appears, urging users to click the 'Install' button. Upon doing so, GHOSTPULSE is silently downloaded to the compromised host from a remote server (specifically, 'manojsinghnegi[.]com') via a PowerShell script.

This process unfolds across multiple stages, with the initial payload being a TAR archive file. This archive contains an executable that poses as the Oracle VM VirtualBox service (VBoxSVC.exe), but in reality, it's a legitimate binary bundled with Notepad++ (gup.exe).

Additionally, within the TAR archive, there is a file named handoff.wav and a trojanized version of libcurl.dll. This altered libcurl.dll is loaded to progress the infection process to the next stage by exploiting a vulnerability in gup.exe through DLL side-loading.

The Multiple, Harmful Techniques Involved in the GHOSTPULSE Malware Infection Chain

The PowerShell script initiates the execution of the binary VBoxSVC.exe, which, in turn, engages in DLL side-loading by loading the corrupted DLL libcurl.dll from the current directory. This method allows the threat actor to minimize the on-disk presence of encrypted malicious code, enabling them to evade detection by file-based antivirus and machine learning scanning.

Following this, the manipulated DLL file proceeds by analyzing handoff.wav. Within this audio file, an encrypted payload is concealed, which is subsequently decoded and executed through mshtml.dll. This technique, known as module stomping, is used to launch GHOSTPULSE ultimately.

GHOSTPULSE functions as a loader and employs another technique called process doppelgänging to initiate the execution of the final set of malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma and the NetSupport RAT.

The Consequences for Victims of Malware Attacks may be Severe

A Remote Access Trojan (RAT) infection poses several dire consequences to users' devices, making it one of the most dangerous types of malware. Firstly, a RAT grants unauthorized access and control to malicious actors, allowing them to covertly observe, manipulate, and steal sensitive information from the infected device. This includes access to personal files, login credentials, financial data, and even the ability to monitor and record keystrokes, making it a potent tool for identity theft and espionage. These activities can lead to financial losses, privacy breaches, and the compromise of personal and professional data.

Furthermore, RAT infections can have devastating impacts on user privacy and security. Fraud-related actors can use RATs to turn on webcams and microphones, effectively spying on victims in their own homes. This intrusion into personal spaces not only violates privacy but can also lead to blackmail or the distribution of compromising content. Additionally, RATs can be used to turn infected devices into part of a botnet, which can launch large-scale cyberattacks, distribute malware to other systems, or carry out criminal activities on behalf of the attacker. Ultimately, RAT infections undermine trust in the digital environment, erode personal safety, and can have long-lasting, severe consequences for individuals, businesses, and even nations.