1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Windows PCs are being targeted with a nasty new malware - here's

    From TechnologyDaily@1337:1/100 to All on Mon Oct 30 17:15:05 2023
    Windows PCs are being targeted with a nasty new malware - here's what you
    need to know

    Date:
    Mon, 30 Oct 2023 17:00:15 +0000

    Description:
    Hackers are using novel techniques to drop GHOSTPULSE, a loader capable of delivering all kinds of nasties to Windows PCs.

    FULL STORY ======================================================================

    Cybersecurity researchers have observed hackers abusing MSIX Windows app package files to distribute malware .

    MSIX is a relatively new, unified packaging format, which developers can utilize to create secure and high-performing applications across platforms.

    According to experts from Elastic Security Labs , someones been distributing MSIX files pretending to be popular software platforms such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. The distribution channels havent been confirmed, but researchers believe its the usual mix of compromised websites, SEO poisoning, malvertising, social media, and
    phishing. Unknown motives

    Being a loader, the malware itself has one job, and that is to drop one of
    the following final payloads: SectopRAT, Rhadamanthys, Vidar, Lumma, or NetSupport RAT. While these have different features, the common denominators are remote access, the ability to execute arbitrary code, and data exfiltration.

    Users who fall for the scam and execute the file will see a prompt with an Install button. Pressing the button will drop the GHOSTPULSE malware loader onto their endpoint.

    "MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources," explained Elastic Security Labs researcher Joe Desimone.

    Elastic Defend, the companys endpoint security solution, detects this threat with the following behavior protection rules:

    DNS Query to Suspicious Top Level Domain

    Library Load of a File Written by a Signed Binary Proxy

    Suspicious API Call from an Unsigned DLL

    Suspicious Memory Write to a Remote Process

    Process Creation from Modified NTDLL

    The YARA rule "Windows.Trojan.GhostPulse" will also detect GHOSTPULSE loaders on disk.

    There is no information on the number of companies compromised with GHOSTPULSE, or who the threat actor behind the campaign is. We also dont know what their end game is, but given the type of malware being distributed in
    the final stage, its safe to assume this is either a financially motivated group, or an Initial Access Broker (IAB).

    An IAB will typically breach a network and then sell the access it has gained to other threat actors, such as ransomware groups. More from TechRadar Pro Millions of Android phones are shipping with malware already installed Here's a list of the best firewalls today These are the best endpoint protection software right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/windows-pcs-are-being-targeted-with-a-n asty-new-malware-heres-what-you-need-to-know


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)