Don’t judge a book by its cover, and don’t judge a file by its packaging. Earlier this year, the Red Canary Intelligence team shared research on multiple campaigns leveraging Microsoft’s MSIX format for Windows to package malicious fake installers, enabling adversaries to deliver payloads and evade defensive controls. This behavior is not limited just to Windows or MSIX. Different operating systems use different installer package formats—sometimes more than one—and adversaries have abused installer packages on macOS and Linux systems as well.
In the latest Detection Series webinar, Cat Self from MITRE ATT&CK® joined Red Canary’s Matt Graeber and Frank Lee to discuss how adversaries leverage installer packages to stealthily deliver malware on various operating systems. Along with sharing some in-the-wild examples, the panel dives into mitigation, relevant log sources, and detection guidance.
You can watch the full recording here or check out the clips below.
Why should defenders be wary of installer packages?
Matt kicks things off by laying out the stakes–MSIX and other installer package formats provide adversaries with a relatively easy way to deliver malicious payloads under the guise of legitimate-looking behavior.
What exactly are installer packages?
Cat offers a useful analogy of moving into a new house to explain how installer packages work.
What do installer packages look like on Windows?
Matt walks us through a technical deep dive on Microsoft’s MSIX file format, including how the feature has evolved over the years, and provides an illustrative example of an obfuscated PowerShell download cradle.
What MSIX abuse has Red Canary seen in the wild?
Frank highlights three activity clusters that Red Canary has observed abusing the MSIX file format to drop malicious payloads such as NetSupport Manager, Zloader, RedLine, and more.
How do I mitigate MSIX abuse?
Matt suggests some configurations and controls to prevent MSIX files from executing in the first place, including blocking the execution of files with a revoked certificate, disabling non-Microsoft Store apps, and setting up a Group Policy Object (GPO).
What do installer packages look like on macOS?
The Apple doesn’t fall too far from the process tree. Cat highlights the DMG file format, a sort of MSIX equivalent on macOS systems, which can obfuscate pre- and post-install scripts that enable persistence and privilege escalation.
What threat actors have abused installer packages on macOS?
Frank showcases some real-word examples of malicious installer packages on macOS, including the Lazarus Group’s infamous “AppleJeus” campaign back in 2018.
What do installer packages look like on Linux?
Cat tackles installer packages from the Linux perspective, highlighting how adversaries have leveraged package managers such as Deb, Debian, and NPM to install malicious scripts and malware.
How does this behavior map to MITRE ATT&CK?
The release of ATT&CK 15.0 includes some new techniques that encompass malicious installer package abuse, notably T1548.006, or Abuse Elevation Control Mechanism: TCC Manipulation, which Cat showcases here.
How does Red Canary detect installer package abuse?
Frank and Matt answer a question from the audience about how Red Canary is able to detect such elusive behavior, emphasizing the importance of analyzing the entire process tree collected from endpoint detection and response (EDR) telemetry.
Related Articles
How adversaries use Entra ID service principals in business email compromise schemes
The Trainman’s Guide to overlooked entry points in Microsoft Azure