Windows PCs are being targeted with a nasty new malware - here's what you need to know

News
By published

Hackers are using novel techniques to drop GHOSTPULSE on Windows PCs

Petya nagscreen
(Image credit: Wikipedia)

Cybersecurity researchers have observed hackers abusing MSIX Windows app package files to distribute malware

MSIX is a relatively new, unified packaging format, which developers can utilize to create secure and high-performing applications across platforms. 

According to experts from Elastic Security Labs, someone’s been distributing MSIX files pretending to be popular software platforms such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. The distribution channels haven’t been confirmed, but researchers believe it’s the usual mix of compromised websites, SEO poisoning, malvertising, social media, and phishing.

Unknown motives

Being a loader, the malware itself has one job, and that is to drop one of the following final payloads: SectopRAT, Rhadamanthys, Vidar, Lumma, or NetSupport RAT. While these have different features, the common denominators are remote access, the ability to execute arbitrary code, and data exfiltration.

Users who fall for the scam and execute the file will see a prompt with an Install button. Pressing the button will drop the GHOSTPULSE malware loader onto their endpoint. 

"MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources," explained Elastic Security Labs researcher Joe Desimone.

Elastic Defend, the company’s endpoint security solution, detects this threat with the following behavior protection rules:

DNS Query to Suspicious Top Level Domain
Library Load of a File Written by a Signed Binary Proxy
Suspicious API Call from an Unsigned DLL
Suspicious Memory Write to a Remote Process
Process Creation from Modified NTDLL

The YARA rule "Windows.Trojan.GhostPulse" will also detect GHOSTPULSE loaders on disk.

There is no information on the number of companies compromised with GHOSTPULSE, or who the threat actor behind the campaign is. We also don’t know what their end game is, but given the type of malware being distributed in the final stage, it’s safe to assume this is either a financially motivated group, or an Initial Access Broker (IAB).

An IAB will typically breach a network and then sell the access it has gained to other threat actors, such as ransomware groups. 

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Ransomware
Microsoft spies a new and worrying macOS malware strain
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Trojan
Hackers hide malware into website images to go unnoticed
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
More about security
Data Breach

Thousands of healthcare records exposed online, including private patient information
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.

AI agents can be hijacked to write and send phishing attacks
Fingers typing on a computer keyboard.

Microsoft 365 Personal vs Microsoft 365 Family: are there any real differences?

See more latest
Most Popular
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
A hand reaching out to touch a futuristic rendering of an AI processor.
Researchers want to embrace Arm's celebrated paradigm for a universal generative AI processor; a puzzling MEGA.mini core architecture
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Nokia 5G 360 Camera
This is the world's first 8K 5G 360 degrees camera - and it is also weatherproof
AI writer
Coding AI tells developer to write it himself
Data Breach
Thousands of healthcare records exposed online, including private patient information
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
Google Messages update
Google Messages could soon follow WhatsApp with an upgrade that makes it much easier to join group chats
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight