In a sophisticated cyberattack campaign, hackers have been exploiting the MSIX app installer protocol to deliver malware through a freemium productivity app, posing a significant threat to publicly facing servers. This attack method has been on the rise, with multiple campaigns identified leveraging MSIX files for malware delivery since July 2023.
The Rise of MSIX Installer Malware Delivery
MSIX, a Windows application package installation format, has become a tool for adversaries to distribute malware. The attackers craft MSIX files using tools like Advanced Installer and exploit legitimate components to execute malicious payloads. Notably, the payloads include a variety of malware such as NerbianRAT, MiniNerbian, and the WARPWIRE JavaScript stealer, targeting Linux systems in particular.
The attackers exploit the trust users place in familiar productivity tools by creating counterfeit versions of popular applications such as Notion, Grammarly, Microsoft Teams, and Zoom. These fake applications are then advertised through malicious advertising or SEO poisoning, tricking users into downloading what they believe to be legitimate software.
Upon installation, the malware executes a malicious script designed to steal sensitive information from the victim’s computer. This can include details from cryptocurrency wallet applications, screenshots, browser data, and information about other installed software. To further evade detection and reduce suspicion, the attackers employ a two-pronged strategy: they attach a valid digital signature to the downloaded file and simultaneously install the legitimate application alongside the malware
Exploitation of 1-Day Vulnerabilities
Magnet Goblin, the group behind these attacks, has been quick to exploit 1-day vulnerabilities—security flaws for which a patch exists but has not been widely applied. This strategy allows them to attack systems before they are updated to patch these vulnerabilities. The group’s swift action to exploit these flaws underscores the need for timely patching and additional security measures.
The distribution of MSIX malware has been facilitated by the abuse of advertisement solutions such as Google Ads, which allow companies to promote their products by placing advertisements ahead of organic search results. Despite efforts by Google and other search companies to curb SEO poisoning and malicious advertising, adversaries have continued to modify their tactics to evade anti-SEO poisoning efforts.
Targeted Platforms and Malware
The campaign has targeted a range of devices and services, including Ivanti Connect Secure, Apache ActiveMQ, and Magento, among others. The deployed malware, such as NerbianRAT and MiniNerbian, performs various malicious activities, including system information collection, command execution, and communication with command and control (C2) servers. These activities highlight the versatility and danger of the malware used in these attacks.
One of the malware variants identified in this campaign is LummaC2, a stealer-type malware that operates by stealing sensitive information from infected devices and installed applications. LummaC2 targets a wide range of browsers and can acquire browsing histories, Internet cookies, usernames/passwords, personally identifiable details, credit card numbers, and other highly sensitive information. The presence of LummaC2 on devices can result in severe privacy issues, significant financial losses, and identity theft.
Mitigation and Defense Strategies
To combat these threats, cybersecurity experts emphasize the importance of quick patching of known vulnerabilities. However, they also recommend additional measures such as network segmentation, endpoint protection, and multi-factor authentication to mitigate the impact of potential breaches. These strategies are crucial in defending against the exploitation of 1-day vulnerabilities and ensuring system security.
The rise of malicious MSIX file distribution underscores the ongoing threat posed by financially motivated hacking groups that exploit the trust users place in well-known software applications. This campaign highlights the need for organizations and individuals to adopt a proactive and comprehensive approach to cybersecurity, ensuring the timely application of patches and employing a multi-layered defense strategy to protect against such threats.
The Use of MSIX
The activities of Magnet Goblin and the use of MSIX installer malware delivery pose a significant threat to system security. The exploitation of 1-day vulnerabilities and the deployment of custom Linux malware highlight the sophistication of these attacks. Organizations must adopt a proactive and comprehensive approach to cybersecurity, including timely patching and the implementation of layered defense strategies, to protect against these evolving threats.
To mitigate the risk of falling victim to these attacks, users are advised to download files exclusively from official websites and ensure that the publisher’s signature matches the official source, even if the signature initially seems legitimate. Special caution should be exercised with files ending in “msix,” signaling a potential risk.