Ghostpulse malware targets Windows PCs with fake application installers

A new malware campaign has been detected that uses fake application installers to infect Windows PCs with a malicious payload. The malware, dubbed Ghostpulse, is designed to steal sensitive information from victims and evade detection by antivirus software.

According to security researchers, Ghostpulse is distributed via phishing emails containing a link to a malicious website. The website mimics the appearance of legitimate software download sites, such as Softonic, CNET or FileHippo, and offers several popular applications, such as VLC Media Player, WinRAR or Adobe Flash Player. However, the applications are actually fake installers containing Ghostpulse malware.

Once the user downloads and runs the fake installer, the malware executes a series of commands to install itself on the system. The malware then creates a backdoor that allows attackers to remotely access the infected PC and perform various malicious activities, such as:

– Collection of credentials, browser history, cookies and other personal information

– Download and execution of additional malware

– Take screenshots and record keystrokes.

– Modify system settings and registry entries.

– Delete or encrypt files

The researchers also discovered that Ghostpulse uses several techniques to avoid detection and analysis, such as:

– Encrypt your communication with the command and control server.

– Using legitimate Windows processes to hide your malicious code

– Remove its traces after execution.

– Checking for the presence of antivirus software, virtual machines or debugging tools.

Researchers warn that Ghostpulse is a sophisticated and persistent threat that can cause significant damage to victims. They advise users to be cautious when downloading software from unknown sources and to always verify the authenticity of installers. They also recommend using a reliable antivirus solution and keeping it updated to protect against malware attacks.

Ghostpulse: a new malware threat exploiting MSIX packets

MSIX is a modern packaging format for Windows applications that offers many benefits for developers and users, such as easy installation, updates and uninstallation. However, it also poses a new security risk, as malicious actors can use MSIX packages to deliver malware to unsuspecting victims.

This is what Ghostpulse, a new strain of malware discovered by Elastic Security Labs, does. Ghostpulse uses MSIX packages to place a malicious payload on Windows systems, which then performs various malicious activities, such as stealing credentials, downloading additional malware or executing commands.

How does Ghostpulse work?

Ghostpulse takes advantage of the fact that MSIX packages are easy to install and do not require administrator privileges. Attackers create fake MSIX packages that mimic legitimate applications, such as browsers, productivity tools or video conferencing software. They then distribute these packages through compromised websites, SEO techniques or malvertising campaigns.

When a user downloads and runs one of these fake MSIX packages, they are presented with a fake installation wizard that looks like the real thing. However, in the background, the package extracts and runs a malicious executable file that initiates the infection process.

The malicious executable then creates a scheduled task that runs every 10 minutes and looks for an Internet connection. If it detects one, it connects to a command and control (C2) server and sends information about the infected system, such as its IP address, host name, user name and operating system version. It also receives commands from the C2 server, which may instruct it to perform various actions, such as:

– Downloading and executing additional malware from a specific URL

– Uploading files from the infected system to the C2 server

– Executing PowerShell scripts or commands

– Terminate processes or delete files.

– Modifying registry entries or firewall rules

How to detect and prevent Ghostpulse?

Ghostpulse is a stealthy and persistent malware that can evade detection by antivirus software and firewalls. However, there are some indicators of compromise (IOCs) that can help identify infected systems, such as:

– The presence of MSIX packages with suspicious names or publishers in the %LocalAppData% folder %LocalAppData%

– The presence of scheduled tasks with random names or descriptions in the Task Scheduler

– The presence of network connections to known malicious domains or IP addresses associated with Ghostpulse

To prevent Ghostpulse infections, users should be careful when downloading and installing MSIX packages from unknown or untrusted sources. They should also verify the digital signature and publisher of the MSIX package before running it. In addition, they should use security software that can detect and block malicious MSIX packages and network traffic.

Elastic Security Labs continuously monitors the threat landscape and updates its threat intelligence and detection rules to protect its customers from Ghostpulse and other emerging malware threats. For more information on Ghostpulse and how to detect it with Elastic Security products, see our blog post here.