Windows systems are being targeted by a new attack campaign leveraging fraudulent MSIX Windows app packages for widely used software to facilitate the deployment of the new GHOSTPULSE malware loader, The Hacker News reports.
Malvertising, search engine optimization poisoning, and breached websites may have been used by attackers to lure targets into downloading the malicious MSIX files, which when opened would prompt a click on the "Install" button that would launch a PowerShell script downloading GHOSTPULSE as part of a multi-stage process, a report from Elastic Security Labs revealed.
Initially downloaded is a TAR archive file with an Oracle VM VirtualBox service-spoofing executable that would side-load a trojanized libcurl.dll involved to bypass antivirus and ML scanning systems before parsing the handoff.wav file and eventually loading GHOSTPULSE.
Process doppelganging is then performed by GHOSTPULSE to facilitate the execution of NetSupport RAT, Vidar, Lumma, Rhadamanthys, SectopRAT, and other strains as the final malware.
