Keypoints
- Morphisec prevented a critical attack using a new variant of the IDAT loader.
- Delivery used a modified MSIX package named UpdateSetup.UpdateSetup_1.3.36.292_x86 taken from the Windows app store.
- The MSIX contained a custom action executed through a signed PsfLauncher script (StartingScriptWrapper.ps1) which runs update.ps1.
- update.ps1 redirects to a C2 (https[:]//utm-msh[.]com/profile/) to download and load the IDAT loader.
- Execution was performed via PowerShell with: powershell.exe ‘-ExecutionPolicy’ ‘RemoteSigned’ ‘-file’ ‘…/update.ps1’.
- Initial VirusTotal scans showed zero or minimal detections for the script, reducing visibility to many endpoint/web defenses.
- Provided IOCs include file hashes for update.ps1 and the installer and the C2 URL.
MITRE Techniques
- [T1059.001] PowerShell – Used to execute the malicious script: ‘powershell.exe ‘-ExecutionPolicy’ ‘RemoteSigned’ ‘-file’ ‘C:/ProgramFiles/WindowsApps UpdateSetup.UpdateSetup_1.3.36.292_x86__s3garmmmnyfa0/update.ps1”
- [T1553.002] Code Signing – Adversaries leveraged a signed PsfLauncher/StartingScriptWrapper.ps1 to evade detection and bypass application whitelisting: ‘StartingScriptWrapper.ps1 … which is delivered by Advanced Installer’.
- [T1071.001] Application Layer Protocol: Web Protocols (HTTP) – The update script fetches the loader from a web C2: ‘https[:]//utm-msh[.]com/profile/ which loads the IDAT loader.’
- [T1195] Supply Chain Compromise – The attack modifies a legitimate Windows app package (MSIX) to include a malicious custom action: ‘The MSI was edited to include a custom action that is executed through a PowerShell signed script’.
- [T1055] Process Injection – The loader uses code injection/execution modules as part of its modular architecture: ‘Distinguished by its modular architecture, IDAT employs unique features like code injection and execution modules’.
Indicators of Compromise
- [File name & hash] update.ps1 – 4e39fa74e49be2bf26fbfbbcea12d1374fa2f1607ff7fa2a0c8c323e697959ad (malicious PowerShell script)
- [File name & hash] UpdateSetup.UpdateSetup_1.3.36.292_x86 (popupwrapper.exe) – eb8ce3cbdc33dbc819fe5989bfd4c81dbd54239aa7ee18cfa781173b65b8d628 (modified MSIX installer)
- [C2 domain] C2 URL used to load the loader – https[:]//utm-msh[.]com/profile/ (loader retrieval endpoint)
Morphisec’s analysis shows the attack chain begins with a modified MSIX (UpdateSetup.UpdateSetup_1.3.36.292_x86) distributed via the Windows app store. The package contains a custom action implemented through Advanced Installer’s PsfLauncher; the signed wrapper script (StartingScriptWrapper.ps1) runs a secondary script named update.ps1. That signed wrapper enables execution despite application whitelisting or EDR controls, reducing detection likelihood until explicit indicators appear.
The update.ps1 script executes via PowerShell (powershell.exe ‘-ExecutionPolicy’ ‘RemoteSigned’ ‘-file’ ‘…/update.ps1’) and contacts the command-and-control URL (https[:]//utm-msh[.]com/profile/) to download and load the IDAT loader. IDAT is modular and includes code injection and execution components to deploy further payloads. VirusTotal showed zero or minimal detections for the script and low detection for the C2 during the attack, indicating low initial visibility to many protections.
Technical mitigations include monitoring and restricting execution of unsigned or unexpected MSIX/MSI installers, enforcing stricter script execution policies and code-signing validation, blocking or closely monitoring connections to the listed C2 domain, and using runtime protection that resists signed-script bypass techniques. IOCs provided above (file names, hashes, and the C2 URL) should be added to detection and blocking lists.
Read more: https://blog.morphisec.com/threat-bulletin-new-variant-idat-variant