GHOSTPULSE is a newly discovered malware loader that utilizes the Microsoft MSIX app package format to evade detection, making it particularly dangerous due to its ability to blend in with legitimate software installations.
The malware employs a deceptive method by packaging a malicious DLL (Dynamic Link Library) file within a seemingly legitimate application, then leveraging trusted Windows processes to execute the malicious code without triggering standard security measures.
Upon installation of the tainted MSIX package, GHOSTPULSE can carry out harmful activities, such as downloading further malicious modules, which could include backdoors or ransomware, leading to data theft, file encryption, or extensive system compromise.
Elastic Security Labs has provided a comprehensive analysis and a set of indicators of compromise (IOCs), as well as sample hashes of GHOSTPULSE variants, assisting in the detection and prevention of this sophisticated cybersecurity threat.
Elastic Security Labs underscores the critical need for robust endpoint security solutions and emphasizes that according to their 2022 Global Threat Report, defense evasion tactics like those used by GHOSTPULSE were the most prevalent across cyber attacks, which calls for heightened vigilance and improved security postures in organizations.
New malware loader GHOSTPULSE uses Microsoft MSIX app packages to evade detection
Unpacking the new threat in Windows applications, Elastic Security Labs shares critical defense tactics against MSIX-packaged GHOSTPULSE malware
At a glance
A new malware loader called GHOSTPULSE has been discovered by Elastic Security Labs, a team of security researchers who publish their findings on various cyber threats and malware. GHOSTPULSE uses Microsoft MSIX app packages, a new format for Windows applications that combines the features of different installation technologies to evade detection and deliver malicious payloads.
According to Elastic Security Labs, GHOSTPULSE is a sophisticated and stealthy malware loader that leverages the MSIX app package format to bypass security controls and execute arbitrary code on the target system. MSIX app packages are designed to simplify the installation and management of Windows applications, but they also provide an opportunity for attackers to hide malicious code inside them.
GHOSTPULSE uses a fake MSIX app package that contains a legitimate application and a malicious DLL file. A DLL file is a type of file that contains instructions that other programs can call upon to do certain things. This way, several programs can share the abilities programmed into a single file and even do so simultaneously. The fake app package is signed with a self-signed certificate that mimics a valid Microsoft certificate, making it appear trustworthy. When the user installs the fake app package, the malicious DLL file is extracted and executed by a legitimate Windows process, such as explorer.exe or svchost.exe. This technique allows GHOSTPULSE to evade antivirus detection and firewall rules.
The malicious DLL file then downloads and executes another DLL file from a remote server, which contains the final payload of GHOSTPULSE. The payload can vary depending on the attacker's objectives, but it typically consists of a backdoor or a ransomware module. The payload can also perform various actions on the infected system, such as stealing credentials, encrypting files, deleting backups, or exfiltrating data.
Elastic Security Labs has published a detailed blog post on how GHOSTPULSE works, how to detect it, and how to protect against it. The blog post also provides indicators of compromise (IOCs) and sample hashes of GHOSTPULSE variants. Elastic Security Labs recommends using endpoint security solutions, such as Elastic Agent or Elastic Endpoint Security, to prevent and detect GHOSTPULSE attacks.
GHOSTPULSE is one of the latest examples of how attackers use defense evasion techniques to avoid detection and compromise systems. According to Elastic's 2022 Global Threat Report, 90% of cyber attackers used defense evasion tactics in 2022, making it the most common attack technique across all industries and regions. The report also highlights the importance of having comprehensive visibility and protection across endpoints, networks, and clouds.
GHOSTPULSE can compromise your system and perform various actions, such as stealing credentials, encrypting files, deleting backups, or exfiltrating data. To stay safe from GHOSTPULSE, you should follow these steps:
Keep your software up to date. Software updates often include security patches that can help protect you from malware.
Use a good antivirus program and keep it up to date. An antivirus program can scan your computer for malware and remove it if it’s found.
Be careful about what attachments you open. GHOSTPULSE uses a fake MSIX app package that contains a legitimate application and a malicious DLL file. The fake app package is signed with a self-signed certificate that mimics a valid Microsoft certificate, making it appear trustworthy. Do not install any app packages from unknown sources or suspicious emails.
Use endpoint security solutions, such as Elastic Agent or Elastic Endpoint Security, to prevent and detect GHOSTPULSE attacks. These solutions can provide comprehensive visibility and protection across endpoints, networks, and clouds.
Check the indicators of compromise (IOCs) and sample hashes of GHOSTPULSE variants published by Elastic Security Labs. If you find any matches on your system, you may be infected by GHOSTPULSE and should take immediate action to remove it.
Check Elastic Labs Security for indicators of compromise and the full report on GHOSTPULSE.