A new malware strain dubbed Ghostpulse is targeting Windows systems though a program intended to help distribute legitimate apps.
As Elastic Security Labs explains, scammers are using MSIX application packages to drop malware onto Windows PCs.
"MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users," Elastic Security Labs says. And they're easily installed, often with just a double-click, which "makes them a potential target for adversaries looking to compromise unsuspecting victims."
To pull this off, though, hackers will need to buy or steal code signing certificates, meaning MSIX scams are probably being orchestrated by "groups of above-average resources."
Whoever is doing it, they're trying to get people to "download malicious MSIX packages through compromised websites, search-engine optimization (SEO) techniques, or malvertising," according to Elastic Security Labs, which has seen hackers try fake installers for Chrome, Brave, Edge, Grammarly, and WebEx, among others.
(Credit: Elastic Security Labs)The install seems normal to the PC user. "No pop-ups or warnings are presented. However, a PowerShell script is covertly used to download, decrypt, and execute Ghostpulse on the system."
There are a few methods to detect Ghostpulse, which Elastic Security Labs outlines on its GitHub page. The team also created a tool that detects Ghostpulse for you, which is on GitHub.
As TechRadar notes, the motive here is unknown, but the payloads dropped by Ghostpulse are known to facilitate remote access, the ability to execute arbitrary code, and data exfiltration.