Windows computers have recently become the target of a new attack by hackers. Cybercriminals use a trick to infect devices with the GHOSTPULSE virus. Here’s what to watch out for.
Cybercriminals are using a new method to infect computers using application installation files. The problem concerns Windows users who want to purchase popular software.
Viruses hidden in Chrome, Edge and Brave – beware of fake installers
Hackers started exploiting MSIX files. This is still quite a new format, used to package and install files of various applications. It is intended to be more reliable and optimize the space occupied by the installer. However, the innovation has already been used for nefarious purposes, as MSIX files infected with malware began to appear on the Internet.
Elastic Security Labs experts warn that unknown perpetrators have started to distribute installers pretending to be popular programs, but at the same time enabling the installation of viruses in the system. The infected group included MSIX files of popular applications such as Google Chrome, Microsoft Edge, Brave, Grammarly and Cisco Webex.
“MSIX requires access to purchased or stolen code signing certificates. This makes this method profitable only for hacker groups with above-average resources,” says Joe Desimone, security researcher at Elastic Security Labs.
GHOSTPULSE – virus installation harvester
If we accidentally download an infected installer and open the file, the GHOSTPULSE virus may appear on our system. Downloading it is not yet the final step for hackers. This is a so-called loader – the program acts as a foot in the door and installs further viruses on the compromised system.
Once started, GHOSTPULSE may install a number of other malicious programs. Specialists mention SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT. Some of them are remote access programs that will allow you to take over your computer and access your data. Others enable rapid information extraction or execution of malicious code.
Antiviruses should detect the bug after the YARA code “Windows.Trojan.GhostPulse”. So far, we do not know the number or purpose of attacks with the new method, or even the hacker group behind the latest MSIX campaign. There are many indications that the hackers’ action may be financially motivated.