Random Image Display on Page Reload

New malware loader GHOSTPULSE uses Microsoft MSIX app packages to evade detection

A new malware loader called GHOSTPULSE has been discovered by Elastic Security Labs, a team of security researchers who publish their findings on various cyber threats and malware. GHOSTPULSE uses Microsoft MSIX app packages, a new format for Windows applications that combines the features of different installation technologies to evade detection and deliver malicious payloads.

elasticsecuritylabs.jpg
Screen shot from https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks

According to Elastic Security Labs, GHOSTPULSE is a sophisticated and stealthy malware loader that leverages the MSIX app package format to bypass security controls and execute arbitrary code on the target system. MSIX app packages are designed to simplify the installation and management of Windows applications, but they also provide an opportunity for attackers to hide malicious code inside them.

GHOSTPULSE uses a fake MSIX app package that contains a legitimate application and a malicious DLL file. A DLL file is a type of file that contains instructions that other programs can call upon to do certain things. This way, several programs can share the abilities programmed into a single file and even do so simultaneously. The fake app package is signed with a self-signed certificate that mimics a valid Microsoft certificate, making it appear trustworthy. When the user installs the fake app package, the malicious DLL file is extracted and executed by a legitimate Windows process, such as explorer.exe or svchost.exe. This technique allows GHOSTPULSE to evade antivirus detection and firewall rules.

The malicious DLL file then downloads and executes another DLL file from a remote server, which contains the final payload of GHOSTPULSE. The payload can vary depending on the attacker’s objectives, but it typically consists of a backdoor or a ransomware module. The payload can also perform various actions on the infected system, such as stealing credentials, encrypting files, deleting backups, or exfiltrating data.

Elastic Security Labs has published a detailed blog post on how GHOSTPULSE works, how to detect it, and how to protect against it. The blog post also provides indicators of compromise (IOCs) and sample hashes of GHOSTPULSE variants. Elastic Security Labs recommends using endpoint security solutions, such as Elastic Agent or Elastic Endpoint Security, to prevent and detect GHOSTPULSE attacks.

GHOSTPULSE is one of the latest examples of how attackers use defense evasion techniques to avoid detection and compromise systems. According to Elastic’s 2022 Global Threat Report, 90% of cyber attackers used defense evasion tactics in 2022, making it the most common attack technique across all industries and regions. The report also highlights the importance of having comprehensive visibility and protection across endpoints, networks, and clouds.


GHOSTPULSE can compromise your system and perform various actions, such as stealing credentials, encrypting files, deleting backups, or exfiltrating data. To stay safe from GHOSTPULSE, you should follow these steps:

Keep your software up to date. Software updates often include security patches that can help protect you from malware.

Use a good antivirus program and keep it up to date. An antivirus program can scan your computer for malware and remove it if it’s found.

Be careful about what attachments you open. GHOSTPULSE uses a fake MSIX app package that contains a legitimate application and a malicious DLL file. The fake app package is signed with a self-signed certificate that mimics a valid Microsoft certificate, making it appear trustworthy. Do not install any app packages from unknown sources or suspicious emails.

Use endpoint security solutions, such as Elastic Agent or Elastic Endpoint Security, to prevent and detect GHOSTPULSE attacks. These solutions can provide comprehensive visibility and protection across endpoints, networks, and clouds.

Check the indicators of compromise (IOCs) and sample hashes of GHOSTPULSE variants published by Elastic Security Labs. If you find any matches on your system, you may be infected by GHOSTPULSE and should take immediate action to remove it.

Check Elastic Labs Security for indicators of compromise and the full report on GHOSTPULSE.

*****
Credit belongs to : www.mb.com.ph

Check Also

Some People Actually Kind of Love Deepfakes

AI fakes are a disinformation menace. But some politicians, executives, and academics see them as …