Ghostpulse malware targets Windows PCs with fake app installers

A new malware campaign has been detected that uses fake application installers to infect PCs with Windows with a malicious payload. The malware, called Ghostpulse, is designed to steal sensitive information from victims and evade detection by antivirus software.

According to security researchers, Ghostpulse is distributed via phishing emails that contain a link to a malicious website. The website imitates the appearance of legitimate software download sites, such as Softonic, CNET or FileHippo, and offers several popular applications, such as VLC Media Player, WinRAR or Adobe Flash Player. However, the applications are actually fake installers that contain the Ghostpulse malware.

Once the user downloads and runs the fake installer, the malware executes a series of commands to install itself on the system. The malware then creates a backdoor that allows attackers to remotely access the infected PC and perform various malicious activities, such as:

– Collection of credentials, browser history, cookies and other personal data

– Download and run additional malware

– Take screenshots and record keystrokes.

– Modify system settings and registry entries.

– Delete or encrypt files

Researchers also discovered that Ghostpulse uses several techniques to avoid detection and analysis, such as:

– Encrypt your communication with the command and control server.

– Use legitimate Windows processes to hide your malicious code

– Eliminate its traces after execution.

– Checking for the presence of antivirus software, virtual machines or debugging tools.

Researchers warn that Ghostpulse is a sophisticated and persistent threat that can cause significant harm to victims. They advise users to be careful when downloading software from unknown sources and to always check the authenticity of installers. They also recommend using a reliable antivirus solution and keeping it updated to protect against malware attacks.

Ghostpulse: a new malware threat that exploits MSIX packages

MSIX is a modern packaging format for Windows applications that offers many benefits for developers and users, such as easy installation, updates, and uninstallation. However, it also poses a new security risk, as malicious actors can use MSIX packages to deliver malware to unsuspecting victims.

This is what Ghostpulse, a new strain of malware discovered by Elastic Security Labs, does. Ghostpulse uses MSIX packages to place a malicious payload on Windows systems, which then performs various malicious activities, such as stealing credentials, downloading additional malware, or executing commands .

How does Ghostpulse work?

Ghostpulse takes advantage of the fact that MSIX packages are easy to install and do not require administrator privileges. Attackers create fake MSIX packages that imitate legitimate applications, such as browsers, productivity tools, or video conferencing software. They then distribute these packages through compromised websites, SEO techniques or malvertising campaigns.

When a user downloads and runs one of these fake MSIX packages, they are presented with a fake installation wizard that looks like the real one. However, in the background, the package extracts and executes a malicious executable file which starts the infection process.

The malicious executable file then creates a scheduled task that runs every 10 minutes and searches for an Internet connection. If it detects one, it connects to a command and control (C2) server and sends information about the infected system, such as its IP address, hostname, username, and operating system version. It also receives commands from the C2 server, which can instruct it to perform various actions, such as:

– Download and run additional malware from a specific URL

– Uploading files from the infected system to the C2 server

– Run scripts or PowerShell commands

– Terminate processes or delete files.

– Modify registry entries or firewall rules

How to detect and prevent Ghostpulse?

Ghostpulse is a stealthy and persistent malware that can evade detection by antivirus software and firewalls. However, there are some indicators of compromise (IOC) that can help identify infected systems, such as:

– The presence of MSIX packages with suspicious names or publishers in the %LocalAppData%\Packages folder

– The presence of scheduled tasks with random names or descriptions in Task Scheduler

– The presence of network connections to known malicious domains or IP addresses associated with Ghostpulse

To prevent Ghostpulse infections, users should be careful when downloading and installing MSIX packages from unknown or untrusted sources. They should also verify the digital signature and publisher of the MSIX package before running it. Additionally, they must use security software that can detect and block malicious MSIX packets and network traffic.

Elastic Security Labs continually monitors the threat landscape and updates its threat detection and intelligence rules to protect its customers from Ghostpulse and other emerging malware threats. To learn more about Ghostpulse and how to detect it with Elastic Security products, see our blog post here.