GHOSTPULSE Infiltration via MSIX Application Packages

Threat Group: Unknown
Threat Type: Multi-stage Malware Loader
Exploited Vulnerabilities: DLL Side-loading, Module Stomping, Process Doppelgänging
Malware Used: GHOSTPULSE
Threat Score: High (8.5/10) — Due to advanced evasion techniques and targeting of commonly used software through deceptive MSIX packages.
Last Threat Observation: October 30, 2024

Overview

GHOSTPULSE is a sophisticated malware loader that spreads through compromised MSIX application packages. This malware is embedded within files posing as legitimate software installers, such as Chrome, Edge, and WebEx, often delivered via malicious advertising, SEO poisoning, or attacker-controlled sites. It cleverly evades detection by hiding encrypted payloads within image pixels or DLL files, then deploying advanced loading techniques to bypass antivirus solutions and execute its malicious code in stages.

Key Details

• Delivery Method: Malicious MSIX packages disguised as trusted applications.
• Target Systems: Windows PCs, especially vulnerable to DLL side-loading.
• Multi-Stage Execution: Initiates with a seemingly benign MSIX file, then uses DLL hijacking and process injection to deliver additional payloads.
• Evasion Techniques: Module stomping, process doppelgänging, and pixel-based data encoding within PNG files to evade detection.
• Payloads: Can execute various malware strains like SectopRAT, Rhadamanthys, Lumma, and NetSupport RAT, each designed for distinct malicious actions.

Attack Vectors

GHOSTPULSE leverages the following vectors:

1. MSIX Packages: The primary entry point, using trusted software packaging to appear legitimate.
2. PowerShell Execution: Once downloaded, it uses a PowerShell script to trigger the loader's stages.
3. Image-based Data Concealment: Encrypted configurations are stored in PNG image pixels, extracted by reading RGB values and decrypting the data via XOR keys.
4. DLL Side-loading: Uses a legitimate DLL vulnerable to side-loading to launch malicious code.
5. Module Stomping and Process Doppelgänging: These techniques overwrite parts of the system memory and hijack processes, evading typical antivirus checks.

Known Indicators of Compromise (IoCs)

• IP Addresses:
  • 78.24.180[.]93
  • 195.201.198[.]179
• Domains:
  • manojsinghnegi[.]com
• URLs:
  • hxxp://manojsinghnegi[.]com/2.tar.gpg
  • hxxps://manojsinghnegi[.]com/2.tar.gpg
• File Hashes (SHA256):
  • 0c01324555494c35c6bbd8babd09527bfc49a2599946f3540bb3380d7bec7a20
  • ee4c788dd4a173241b60d4830db128206dcfb68e79c68796627c6d6355c1d1b8
  • 4283563324c083f243cf9335662ecc9f1ae102d619302c79095240f969d9d356
  • eb2addefd7538cbd6c8eb42b70cafe82ff2a8210e885537cd94d410937681c61
  • 49e6a11453786ef9e396a9b84aeb8632f395477abc38f1862e44427982e8c7a9
• Code Signers:
  • Chrome: Futurity Designs Ltd
  • Brave: Fodere Titanium Limited
  • Webex: Imperious Technologies Limited

Mitigation and Prevention

1. User Awareness Training: Educate users about downloading only from verified sources and recognizing deceptive packages.
2. Email and Web Filtering: Filter suspicious domains and URLs, especially from untrusted sources.
3. Endpoint Security: Use real-time malware detection and behavioral analysis tools to detect unusual activities like DLL side-loading.
4. Regular Updates: Ensure all software, particularly system DLLs, is up-to-date to minimize vulnerabilities.
5. Monitor Logs: Track signs of process injection and module stomping through SIEM tools, adapting queries based on log source configurations.

Conclusion

GHOSTPULSE represents a significant evolution in evasion technology, combining standard packaging formats with sophisticated payload concealment and multi-stage execution tactics. Organizations are urged to deploy robust endpoint security solutions, implement stringent user access control, and maintain up-to-date antivirus protections to reduce exposure to this threat.

Sources

• Elastic Security Labs - GHOSTPULSE haunts victims using defense evasion bag o' tricks
• The Register- Pixel perfect Ghostpulse malware loader hides inside PNG image files
• Tech Radar - This sneaky Ghostpulse malware hides in PNG image files