Starting in July 2023, Red Canary began investigating a series of attacks by adversaries leveraging MSIX files to deliver malware. MSIX is a Windows application package installation format that IT teams and developers increasingly use to deliver Windows applications within enterprises.
The adversary in each intrusion appeared to be using malicious advertising or SEO poisoning to draw in victims, who believed that they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom. Victims span multiple industries, suggesting that the adversary’s attacks are opportunistic rather than targeted.
Threat clusters abusing MSIX installers to deliver malware
Analysis of the intrusions revealed three clusters of activity stretching from July to December 2023.
Cluster 1: FIN7
The first cluster of activity we’ve observed seems to bear the hallmarks of a financially motivated threat group known as FIN7 that’s been active since at least 2015. They’ve leveraged many malicious tools over the years and represent a significant risk to organizations, in part because FIN7 activity has frequently preceded ransomware deployment. We’ve detected activity within this cluster attempting to install malicious instances of NetSupport Manager RAT.
In the detections we’ve observed within this cluster, the adversary leverages the MSIX-PackageSupportFramework tool to create their malicious MSIX files. When the victim opens the MSIX, the StartingScriptWrapper.ps1 component of the MSIX package support framework launches an embedded PowerShell script.
The PowerShell script employs process injection to execute POWERTRASH and Carbanak malware, which in turn deliver NetSupport Manager RAT as a follow-on payload. Notably, the NetSupport RAT binaries in these intrusions contain metadata associated with an entity called “Crosstec Corporation” rather than the expected “NetSupport Corporation.” Recent research from Microsoft corroborates our assessment that FIN7, which Microsoft tracks as Sangria Tempest, may be behind these incidents.
Cluster 2: Zloader
The adversary in Cluster 2 uses Advanced Installer—a development utility widely used for building software installation packages—to create MSIX files. These MSIX files leverage the legitimate Advanced Installer binary AiStub.exe to execute the malicious payload inside.
The payload is named Install.exe and is constructed using compiled Python code. Red Canary’s analysis of the Python payloads reveal at least some consistent overlap with Zloader (aka BatLoader), including using OpenSSL commands to decrypt components and the use of GetAdmin.vbs scripts. The same research from Microsoft (referenced above) suggests this cluster also overlaps or aligns with a group Microsoft identifies as Storm-0569.
Cluster 3: FakeBat
Similar to Cluster 2, the adversary in Cluster 3 also uses Advanced Installer to create MSIX files. The Cluster 3 payload is a malicious PowerShell script, which AiStub.exe executes via the legitimate component StartingScriptWrapper.ps1.
Adversaries in Cluster 3 intrusions have used ArechClient2 or Redline stealer in the same chain of activity. The adversary’s packages have also delivered a DLL-sideloading payload consistent with GHOSTPULSE, as well as using GPG decryption tools and tar to decompress files in a manner consistent with FakeBat. FakeBat has also been used in MSIX packages to distribute additional payloads in the past, notably IcedID. Research from Microsoft suggests this cluster overlaps or aligns with a group they call Storm-1113.
Why should organizations care about this?
Security is a cat-and-mouse game between adversaries and defenders, and the intrusions Red Canary observed and responded to demonstrate that preventative security controls alone are not adequate.
Following an uptick of malware delivered via MSIX, Microsoft disabled the ms-appinstaller protocol from February 2022 up until August 2022 to address a vulnerability that allowed attackers to distribute remote MSIX packages that appear to be from a trusted source. While this mitigated some threats, other security researchers noted that legitimate code-signing certificate services could be acquired illicitly from criminal forums, and that MSIX installers could still distribute malware if they were downloaded locally to a victim’s system first.
In December 2023, Microsoft again disabled the protocol to address increased MSIX use to distribute malware from remote URLs. In this case, Microsoft chose to leave the protocol disabled by default, requiring a configuration change to enable it. As with previous encounters with MSIX files, this disabling solution does not fully eliminate the threat of MSIX files, it merely requires the malicious MSIX files to be intentionally downloaded to disk before execution.
Preventative security controls alone are not adequate.
Since at least December 2022, adversaries have also abused advertisement solutions such as Google Ads to deliver malware of various types, including MSIX files, posing as legitimate software. Google Ads provide methods for companies to advertise using their product—namely, by putting promoted advertisements ahead of organic results. While Google and other search companies have attempted to curb SEO poisoning and malicious advertising, adversaries have continued to modify their tactics to evade anti-SEO poisoning efforts.
Victims of the malware distributed using these MSIX installers are often prime targets for follow-on activity through persistent access via remote access tools or credential access attempts with stealers.
What can you do about malicious MSIX installers?
While the increase in abuse of malicious MSIX installers is certainly an emergent trend, the adversaries behind it are still at least partially reliant on fairly well understood tradecraft. Fortunately, we can share a few pseudo-detectors that have helped us catch these and other threats. For prevention, organizations that use application allow-listing solutions such as AppLocker can explore allowing or denying MSIX execution with AppLocker policies.
Detection opportunity 1: Launching PowerShell scripts from windowsapps directory
This pseudo-detector looks for the execution of PowerShell scripts from the windowsapps directory. There are instances where benign PowerShell scripts run from this directory, but analysts can sort out malicious or suspicious activity by investigating follow-on actions and network connections. However, in this case we see the adversary calling StartingScriptWrapper.ps1 from the windowsapps directory to execute their malicious payload script.
parent_process_path_includes (‘\\windowsapps\\’)
&&
process == (‘powershell.exe’)
&&
command_includes (‘windowsapps' && '-file ' && '.ps1')Detection opportunity 2: NetSupport running from unexpected directory
In the instances where the adversary delivered NetSupport Manager RAT as a follow-on payload, our existing detection coverage for malicious NetSupport installation served us well. Under normal circumstances, you should expect NetSupport Manager to run from the program files directory. If you find NetSupport Manager—often identifiable as client32.exe—running outside the program files directory, particularly from the programdata directory, then it’s worth investigating.
Detection opportunity 3: Abusing PowerShell to disable Defender components
We also observed at least one of these adversaries abusing PowerShell to exclude certain files or processes from Windows Defender scanning. Luckily, this is common tradecraft for which we’ve shared similar detection ideas on multiple occasions. The following may unearth this and other threats:
process == (‘powershell.exe’)
&&
command_line_includes (‘Set-MpPreference’ || ‘Add-MpPreference’)
&&
command_line_includes (‘ExclusionProcess’ || ’ExclusionPath’)Detection opportunity 4: PowerShell -encodedcommand switch
We also observed at least one of these adversaries abusing the shortened -encoded PowerShell command switch to encode PowerShell commands. This is another common bit of tradecraft that we’ve discussed many times on the Red Canary blog, in the Threat Detection Report, and elsewhere. The following should help detect it.
process == ('powershell.exe')
&&
command_includes ('-e' || '-en' || '-enc' || '-enco'|| [any variation of the encoded command switch])**Note that PowerShell will recognize anything from the shortened -e to the full -encodedcommand and encode commands accordingly.
Detection opportunity 5: MSBuild without commands
In some detections, we observed the Microsoft Build Engine (msbuild.exe) making outbound network connections to IPs associated with the ArechClient2 remote access tool. In general, it is suspicious for msbuild.exe to execute without a corresponding command line, which is precisely what we observed here. Simply looking for execution of msbuild.exe without a corresponding command line and examining surrounding activity for suspicious network connections and child processes could help detect this threat.
In the tables below, you’ll find indicators of compromise (IOC) and MITRE mappings for each of the three activity clusters.
Cluster 1 indicators of compromise
| IOC | Context |
|---|---|
| IOC: grammarly.yesofts[.]com | Context : Typosquatted Grammarly domain |
| IOC: storageplace[.]pro | Context : Resolves to 193.233.22[.]126, hosted POWERTRASH malware |
| IOC: sun47281[.]space | Context : PowerShell made a network connection to this domain. |
| IOC: zatravnik1[.]com | Context : Resolves to 166.1.160[.]205, NetSupport RAT C2 |
| IOC: 01cp.txt | Context : Filename for Active Directory information export |
| IOC: 01ema.txt | Context : Filename for Active Directory information export |
| IOC: 01usr.txt | Context : Filename for Active Directory information export |
| IOC: C:\ProgramData\Crosstec\client32.exe | Context : Path on disk for NetSupport RAT |
| IOC: 001c68b2f71d1fcb9cea1bc42ed0b4c2b6d9fce4b4754d05d6a5a1f28573373a | Context : Malicious MSIX |
| IOC: 1aec04bbf32d06b9cc032755c70103673f1137371a9d4f4608b4a309467943ed | Context : Malicious PowerShell Script |
| IOC: 1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89 | Context : NetSupport RAT |
| IOC: 21903b51f23f7af681a9f69aa066753b202af6c537b97a247d98cfbdec150d63 | Context : NetSupport RAT |
| IOC: 6ca002e77ed2c70dd265bea42b89d969 | Context : Malicious MSIX file |
| IOC: e14c3224215ea91587e96b995861e8966166dfc08ab4d409bd729770815b3b81 | Context : NetSupport RAT |
| IOC: 166.1.160[.]205 | Context : Hosts zatravnik1[.]com domain, NetSupport RAT C2 |
| IOC: 193.233.22[.]126 | Context : Hosted malicious storageplace[.]pro domain, hosted POWERTRASH malware |
| IOC: 94.131.107[.]181 | Context : Hosts typosquatted Grammarly domains |
Cluster 2 indicators of compromise
| IOC | Context |
|---|---|
| IOC: 1204knos[.]ru | Context : Python reached out to this domain |
| IOC: 1204networks[.]ru | Context : Python reached out to this domain |
| IOC: 48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e | Context : Install.exe |
Cluster 3 Indicators of compromise
| IOC | Context |
|---|---|
| IOC: 4sync[.]com | Context : Malicious PowerShell reached out to this domain |
| IOC: 623start[.]site | Context : Malicious PowerShell reached out to this domain. Resolves to 195.161.114[.]3 |
| IOC: 756-ads-info[.]xyz | Context : Malicious PowerShell reached out to this domain |
| IOC: cdn-dwnld[.]ru | Context : Resolves to 195.161.114[.]3, which is a ArechClient2 C2 |
| IOC: clk-info[.]ru | Context : Malicious PowerShell reached out to this domain. Resolves to 81.177.140[.]69 |
| IOC: eventbox[.]com | Context : Resolves to 31.172.76[.]107, which is a ArechClient2 C2 |
| IOC: fullpower682[.]store | Context : Resolves to 81.177.140[.]69, has hosted ArechClient2 in the past |
| IOC: next-traf623[.]site | Context : Malicious Powershell reached out to this domain |
| IOC: notio-apps[.]cloud | Context : Malicious PowerShell reached out to this domain |
| IOC: shaadidates[.]com | Context : Malicious PowerShell reached out to this domain |
| IOC: tatmacerasi[.]com | Context : Malicious domain associated with ArechClient2 and Redline |
| IOC: tombeaux-saadiens[.]com | Context : PowerShell made a network connection to this domain |
| IOC: 09b7d9976824237fc2c5bd461eab7a22 | Context : Malicious MSIX |
| IOC: 1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215 | Context : This hash was seen with two different names: AcroBroker.exe and VBoxSVC.exe. Both binaries were signed by Adobe PDF Broker Process for Internet Explorer . |
| IOC: 4f5e36e74b318c2aab027bc01e093f210a20e911dc5c15f7c6462d8243f09246 | Context : Malicious RAR downloaded from fullpower682[.]store |
| IOC: 5cf033157f63781a190b43d5dde427ccbe16ecda7cab4ccee617bd2d24e6a081 | Context : Malicious PowerShell script |
| IOC: 7bef661ffc9788b5c54e0f98728f34155d7a713f2bfffeb0ef5dc7e33d52aca1 | Context : Redline Stealer |
| IOC: a58ebff4519a8af8ec4111e232be13b12bb41bf5f9a8bf9436ba6c5afe292f8f | Context : Hash for a file named sqlite.dll that was used in search order hijacking |
| IOC: f433a5982dfa78a47c826ccd0c5b0b8d7a8f8fc34dfdb403f171543f5fc09ba8 | Context : Malicious PowerShell |
| IOC: f5244c0d5c537efb24c9103e866eea26 | Context : Malicious MSIX |
| IOC: f57a22a7b0b28d0636cf0a9f79754778ea8660946db8236fcdab335d0335aec4 | Context : Malicious PowerShell script |
| IOC: 185.197.75[.]191 | Context : ArechClient2 C2 |
| IOC: 194.26.135[.]119 | Context : Malicious PowerShell reached out to this IP |
| IOC: 195.161.114[.]3 | Context : ArechClient2 C2 |
| IOC: 31.172.76[.]107 | Context : ArechClient2 C2 |
| IOC: 77.246.101[.]46 | Context : Redline C2 |
| IOC: 81.177.140[.]69 | Context : This IP has hosted numerous malicious domains, including clk-info[.]ru and fullpower682[.]store |
| IOC: 81.177.140[.]194 | Context : Hosts numerous malicious domains, including next-traf623[.]site |
Cluster 1 MITRE mapping
| MITRE subtechnique | Category | Example |
|---|---|---|
| MITRE subtechnique: T1204.002 User Execution: Malicious File | Category: Execution | Example: Usage of malicious MSIX files |
| MITRE subtechnique: T1036.005 - Masquerading: Match Legitimate Name or Location | Category: Defense Evasion | Example: Malicious MSIX masquerade as legitimate Zoom, Microsoft Teams, or Grammarly installers |
| MITRE subtechnique: T1570 - Lateral Tool Transfer | Category: Lateral Movement | Example:
|
| MITRE subtechnique: T1059.001 - Command and Scripting Interpreter: PowerShell | Category: Execution | Example:
|
| MITRE subtechnique: T1105 - Ingress Tool Transfer | Category: Command and Control | Example: Adversaries use PowerShell to load POWERTRASH and Carbanak malware. |
| MITRE subtechnique: T1219 - Remote Access Software | Category: Command and Control | Example: Usage of NetSupport RAT |
| MITRE subtechnique: T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Category: Persistence | Example: Modifying AutoRun key at
\registry\user\ |
| MITRE subtechnique: T1069.002 Permission Groups Discovery: Domain Groups | Category: Discovery | Example:
|
| MITRE subtechnique: T1482 - Domain Trust Discovery | Category: Discovery | Example:
|
| MITRE subtechnique: T1087.002 Account Discovery: Domain Account | Category: Discovery | Example:
|
Cluster 2 MITRE mapping
| MITRE subtechnique | Category | Example |
|---|---|---|
| MITRE subtechnique: T1204.002 User Execution: Malicious File | Category: Execution | Example: Usage of malicious MSIX files |
| MITRE subtechnique: T1036.005 - Masquerading: Match Legitimate Name or Location | Category: Defense Evasion | Example: Malicious MSIX masquerade as legitimate Zoom, Microsoft Teams, or Grammarly installers |
| MITRE subtechnique: T1059 - Command and Scripting Interpreter | Category: Execution | Example: Execution of malicious BAT, Python, and EXE files |
| MITRE subtechnique: T1047 - Windows Management Instrumentation T1046 Network Service Discovery | Category: Execution Discovery | Example:
|
| MITRE subtechnique: T1033 - System Owner/User Discovery | Category: Discovery | Example:
|
| MITRE subtechnique: T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Category: Persistence | Example: Modifying AutoRun key at
\registry\user\ |
| MITRE subtechnique: T1140 Deobfuscate/Decode Files or Information | Category: Defense Evasion | Example:
|
| MITRE subtechnique: T1562.001 - Impair Defenses: Disable or Modify Tools | Category: Defense Evasion | Example: Adversaries executed PowerShell commands to exclude Windows Defender from scanning the contents of various locations and extensions such as %TEMP%, %UserProfile%\*, .bat and .ps1. |
Cluster 3 MITRE mapping
| MITRE subtechnique | Category | Example |
|---|---|---|
| MITRE subtechnique: T1204.002 User Execution: Malicious File | Category: Execution | Example: Usage of malicious MSIX files |
| MITRE subtechnique: T1036.005 - Masquerading: Match Legitimate Name or Location | Category: Defense Evasion | Example: Malicious MSIX masquerade as legitimate Zoom, Microsoft Teams, or Grammarly installers |
| MITRE subtechnique: T1570 - Lateral Tool Transfer | Category: Lateral Movement | Example:
|
| MITRE subtechnique: T1027.010 - Obfuscated Files or Information: Command Obfuscation | Category: Defense Evasion | Example: Adversaries used encoded PowerShell write malicious data to a LNK file. |
| MITRE subtechnique: T1059.001 - Command and Scripting Interpreter: PowerShell | Category: Execution | Example:
|
| MITRE subtechnique: T1574.002 - Hijack Execution Flow: DLL Side-Loading | Category: Persistence, Privilege Escalation, Defense Evasion | Example: Malicious vboxsvc.exe binary loaded a DLL named sqlite.dll. |
| MITRE subtechnique: T1518.001 - Software Discovery: Security Software Discovery | Category: Discovery | Example: Red Canary observed a malicious PowerShell script use WMI to query for antivirus products on an endpoint. |
| MITRE subtechnique: T1555.003 - Credentials from Password Stores: Credentials from Web Browsers | Category: Credential Access | Example: Redline stealer and other infostealers steal credentials from web browsers. |
| MITRE subtechnique: T1105 - Ingress Tool Transfer | Category: Command and Control | Example: Adversaries use PowerShell to download ArechClient2 or Redline stealer. |