Threat Research

MSIX installer malware delivery on the rise – Red Canary

Securonix

Red Canary began investigating MSIX-based malware delivery in July 2023, uncovering three clusters that used malicious MSIX installers and malvertising to lure victims downloading legitimate software. These clusters—FIN7, Zloader, and FakeBat—utilize MSIX packaging, PowerShell-based payloads, and DLL sideloading to drop follow‑on malware such as NetSupport Manager RAT, ArechClient2, and Redline, indicating opportunistic campaigns across multiple industries. #FIN7 #Zloader #Storm-0569 #Storm-1113 #GHOSTPULSE #IcedID #NetSupportManager #ArechClient2

Keypoints

  • MSIX installer abuse to deliver malware rose starting July 2023, with victims drawn in by misleading software downloads.
  • Three attack clusters observed from July to December 2023: FIN7, Zloader, and FakeBat.
  • Cluster 1 (FIN7) used MSIX-PackageSupportFramework and a Start­ingScriptWrapper.ps1 to run embedded PowerShell, leading to POWERTRASH/Carbanak and then NetSupport Manager RAT.
  • Cluster 2 (Zloader) leveraged Advanced Installer with AiStub.exe to execute Install.exe, with overlaps to Zloader/BatLoader and use of OpenSSL and GetAdmin.vbs.
  • Cluster 3 (FakeBat) also used Advanced Installer; payloads included PowerShell scripts run via AiStub.exe, ArechClient2/Redline, DLL sideloading (GHOSTPULSE), and GPG/tar-based decompression, aligned with Storm-1113.
  • Defensive guidance emphasizes that preventive controls alone are insufficient; disabling certain MSIX delivery paths and using allow-lists (e.g., AppLocker) can help, though gaps remain.
  • Adversaries have long used malvertising and SEO poisoning via Google Ads to distribute MSIX packages and other malware.
  • Mitigation includes pseudo-detectors and monitoring like launching PowerShell from the windowsapps directory to flag suspicious activity.

MITRE Techniques

  • [T1036] Masquerading – Victims believed they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom. Quote: “…believed that they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom.”
  • [T1189] Drive-by Compromise – Malvertising/SEO poisoning via Google Ads to lure victims into downloading MSIX installers. Quote: “Google Ads provide methods for companies to advertise using their product—namely, by putting promoted advertisements ahead of organic results.”
  • [T1059.001] PowerShell – Embedded PowerShell script launched via MSIX package wrapper StartingScriptWrapper.ps1. Quote: “…embedded PowerShell script.”
  • [T1055] Process Injection – PowerShell script employs process injection to execute POWERTRASH and Carbanak malware. Quote: “The PowerShell script employs process injection to execute POWERTRASH and Carbanak malware…”
  • [T1574.002] DLL sideloading – DLL-sideloading payload consistent with GHOSTPULSE. Quote: “The adversary’s packages have also delivered a DLL-sideloading payload consistent with GHOSTPULSE.”
  • [T1218] Signed Binary Proxy Execution – AiStub.exe (legitimate Advanced Installer binary) used to execute payload inside. Quote: “The MSIX files leverage the legitimate Advanced Installer binary AiStub.exe to execute the malicious payload inside.”
  • [T1027] Obfuscated/Compressed Files and Information – OpenSSL commands to decrypt components and tar to decompress files. Quote: “OpenSSL commands to decrypt components and the use of tar to decompress files…”

Indicators of Compromise

  • [File] StartingScriptWrapper.ps1 – MSIX Package wrapper launching the embedded PowerShell payload.
  • [File] Install.exe – Payload named Install.exe constructed inside MSIX by Cluster 2.
  • [File] AiStub.exe – Legitimate Advanced Installer binary used to execute malicious payload.
  • [File] GetAdmin.vbs – Script used in Cluster 2 to obtain elevated privileges.
  • [File] ArechClient2 – Payload component seen in Cluster 3.
  • [File] Redline – ArechClient2/Redline payload variant in Cluster 3.
  • [File] NetSupport Manager RAT – Follow-on payload delivered after initial execution in Cluster 1.
  • [Process] POWERTRASH – Process executed by PowerShell injection in Cluster 1.
  • [Process] Carbanak – Malware dropped by the PowerShell pipeline in Cluster 1.
  • [Malware] GHOSTPULSE – DLL-sideloading payload associated with Cluster 3.

Read more: https://redcanary.com/blog/msix-installers/