Threat Research

GHOSTPULSE haunts victims using defense evasion bag o’ tricks — Elastic Security Labs

Securonix

Elastic Security Labs uncovered a campaign delivering signed MSIX packages that install a stealth loader named GHOSTPULSE, which decrypts and injects its final payload to evade detection. The chain includes PowerShell-based stage delivery, GPG decryption, DLL side-loading, staged payloads, and a final payload family with multiple information stealers; observers also note persistence and process-evading techniques. #GHOSTPULSE #NotepadPlusPlus #MSIX #DLLSideLoading #ProcessDoppelgaenging

Keypoints

  • Campaign distributes signed MSIX packages typically downloaded via compromised sites, SEO, or malvertising to gain initial access.
  • Stage 0 often uses PowerShell to download, decrypt, and execute GHOSTPULSE, sometimes via a staged PowerShell script.
  • GHOSTPULSE decrypts a GPG-protected blob, decompresses it, and loads an executable (VBoxSVC.exe) that is a renamed legitimate binary used for further payload delivery.
  • Stage 1 builds an Import Address Table (IAT) and performs DLL side-loading to execute code from a legitimate-looking DLL (libcurl.dll) with malicious content.
  • Stage 2 uses a native API resolution approach (CRC32 hashing, manual IAT creation) to call Windows NT APIs directly, avoiding userland hooks.
  • Stage 3 employs Process Doppelgänging and NT-based techniques (including Heaven’s Gate-like behavior) to load the final payload in a suspended process, with optional persistence via a .lnk file and COM objects.
  • The final payloads observed include SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport information stealers.

MITRE Techniques

  • [T1189] Drive-by Compromise – Initial access via compromised websites, SEO, or malvertising to push signed MSIX packages. – “users are directed to download malicious MSIX packages through compromised websites, search-engine optimization (SEO) techniques, or malvertising”
  • [T1588.002] Acquire Capabilities: Code Signing Certificates – Using purchased or stolen code signing certificates to sign MSIX packages. – “MSIX packages can be installed… MSIX requires access to purchased or stolen code signing certificates”
  • [T1204.002] User Execution: Malicious File – User interaction (double-click Install) to begin installation of the MSIX package. – “the ‘Install’ button appears to function as intended”
  • [T1105] Ingress Tool Transfer – The PowerShell stage downloads a GPG-encrypted blob from a remote URL. – “downloads a GPG-encrypted file from manojsinghnegi[.]com/2.tar.gpg”
  • [T1140] Deobfuscate/Decode Files or Information – The downloaded blob is decrypted with GPG and subsequently decompressed. – “decrypts the file using the command-line GPG utility”
  • [T1027] Obfuscated/Compressed Files and Information – The encrypted blob is stored and processed in chunks, leveraging XOR and compression. – “encrypted blob after extraction”
  • [T1218.011] Signed Binary Proxy Execution: Sideloading – Stage 1 uses a signed binary (VBoxSVC.exe) to side-load a malicious DLL (libcurl.dll). – “side loading from the current directory the malicious DLL libcurl.dll”
  • [T1055.001] Dynamic-link Library Injection – The DLL (libcurl.dll) is overwritten with malicious code and executed, effectively injecting into a process. – “The legitimate mshtml.dll code is overwritten… executed”
  • [T1106] Native API – Stage 2 resolves and calls NT APIs directly by building a custom IAT and invoking ntdll.dll functions, avoiding userland hooks. – “reads the ntdll.dll… offsets of the required NT functions”
  • [T1055.012] Process Doppelgänging – Stage 3 loads the final payload via a suspended process using NTFS transactions and related APIs. – “Process Doppelgänging, leveraging the NTFS transactions feature”
  • [T1574.002] Process Injection: DLL Side-Loading (alternative mapping) – The overall flow includes loading a library and executing injected code via DLL side-loading and memory mapping. – “module stomping” and mapping a view of the section to the process
  • [T1023] Shortcut Modification – Persistence via a .lnk file pointing to Stage 1 binary, using COM objects for creation. – “generate a .lnk file that points to the Stage 1 binary”
  • [T1059.005] Command and Scripting Interpreter: Windows Command Shell – Stage 3 uses a suspended child process and later executes the final payload via command-like sequences. – (implicit through process creation and environment manipulation)
  • [T1107] Native API (HEAVEN’S GATE style execution) – Final payload execution uses NT APIs and Heaven’s Gate-like techniques to execute in a separate context. – (described as executing NTDLL APIs via direct syscalls)

Indicators of Compromise

  • [ip-v4] Stage 0 C2 IP – 78.24.180.93
  • [domain-name] Stage 0 C2 domain – manojsinghnegi[.]com
  • [url] Stage 0 C2 URL – manojsinghnegi[.]com/2.tar.gpg
  • [sha-256] Malicious MSIX package – chrome-x64.msix: c01324555494c35c6bbd8babd09527bfc49a2599946f3540bb3380d7bec7a20
  • [sha-256] Malicious MSIX package – Brave-x64.msix: ee4c788dd4a173241b60d4830db128206dcfb68e79c68796627c6d6355c1d1b8
  • [sha-256] Malicious MSIX package – Webex.msix: 4283563324c083f243cf9335662ecc9f1ae102d619302c79095240f969d9d356
  • [sha-256] PowerShell downloader – new1109.ps1: eb2addefd7538cbd6c8eb42b70cafe82ff2a8210e885537cd94d410937681c61
  • [sha-256] GHOSTPULSE payload archive – 38190626900.rar: 49e6a11453786ef9e396a9b84aeb8632f395477abc38f1862e44427982e8c7a9
  • [code-signing-cert] Code signer – Futurity Designs Ltd
  • [code-signing-cert] Code signer – Fodere Titanium Limited
  • [code-signing-cert] Code signer – IMPERIOUS TECHNOLOGIES LIMITED

Read more: https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint