{"id":993331,"date":"2023-10-30T03:12:46","date_gmt":"2023-10-30T05:12:46","guid":{"rendered":"https:\/\/teknomers.com\/fr\/des-pirates-utilisent-des-packages-dapplications-msix-pour-infecter-des-pc-windows-avec-ghostpulse-maware\/"},"modified":"2023-10-30T03:12:49","modified_gmt":"2023-10-30T05:12:49","slug":"des-pirates-utilisent-des-packages-dapplications-msix-pour-infecter-des-pc-windows-avec-ghostpulse-maware","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/des-pirates-utilisent-des-packages-dapplications-msix-pour-infecter-des-pc-windows-avec-ghostpulse-maware\/","title":{"rendered":"Des pirates utilisent des packages d&#8217;applications MSIX pour infecter des PC Windows avec GHOSTPULSE Maware"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">30 octobre 2023<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">R\u00e9daction<\/span><\/span><span class=\"p-tags\">Logiciels malveillants\/s\u00e9curit\u00e9 des points de terminaison<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/10\/Des-pirates-utilisent-des-packages-dapplications-MSIX-pour-infecter-des.jpg\" style=\"clear: left; display: block; float: left; text-align: center;\"><\/a><\/div>\n<p>Une nouvelle campagne de cyberattaque a \u00e9t\u00e9 observ\u00e9e utilisant de faux <a rel=\"nofollow noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/msix\/overview\" target=\"_blank\">MSIX<\/a> Fichiers de packages d&#8217;applications Windows pour des logiciels populaires tels que Google Chrome, Microsoft Edge, Brave, Grammarly et Cisco Webex afin de distribuer un nouveau chargeur de logiciels malveillants baptis\u00e9 <strong>IMPULSION FANT\u00d4ME<\/strong>.<\/p>\n<p>&#8220;MSIX est un format de package d&#8217;application Windows que les d\u00e9veloppeurs peuvent exploiter pour empaqueter, distribuer et installer leurs applications aupr\u00e8s des utilisateurs Windows&#8221;, Joe Desimone, chercheur chez Elastic Security Labs. <a rel=\"nofollow noopener\" href=\"https:\/\/www.elastic.co\/security-labs\/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks\" target=\"_blank\">dit<\/a> dans un rapport technique publi\u00e9 la semaine derni\u00e8re.<\/p>\n<p>&#8220;Cependant, MSIX n\u00e9cessite l&#8217;acc\u00e8s aux certificats de signature de code achet\u00e9s ou vol\u00e9s, ce qui les rend viables pour des groupes de ressources sup\u00e9rieures \u00e0 la moyenne.&#8221;<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/moon-i-2.1\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/10\/Les-Bing-Chat-Ads-de-Microsoft-alimentees-par-lIA-peuvent.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Sur la base des installateurs utilis\u00e9s comme leurres, on soup\u00e7onne que des cibles potentielles sont incit\u00e9es \u00e0 t\u00e9l\u00e9charger les packages MSIX via des techniques connues telles que des sites Web compromis, un empoisonnement par l&#8217;optimisation des moteurs de recherche (SEO) ou une publicit\u00e9 malveillante.<\/p>\n<p>Le lancement du fichier MSIX ouvre un Windows invitant les utilisateurs \u00e0 cliquer sur le bouton Installer, ce qui entra\u00eene le t\u00e9l\u00e9chargement furtif de GHOSTPULSE sur l&#8217;h\u00f4te compromis \u00e0 partir d&#8217;un serveur distant (&#8220;manojsinghnegi[.]com&#8221;) via un script PowerShell.<\/p>\n<p>Ce processus se d\u00e9roule en plusieurs \u00e9tapes, la premi\u00e8re charge utile \u00e9tant un fichier d&#8217;archive TAR contenant un ex\u00e9cutable qui se fait passer pour le service Oracle VM VirtualBox (VBoxSVC.exe), mais qui est en r\u00e9alit\u00e9 un binaire l\u00e9gitime fourni avec Notepad++ (gup.exe).<\/p>\n<p>L&#8217;archive TAR contient \u00e9galement handoff.wav et une version trojanis\u00e9e de libcurl.dll charg\u00e9e pour faire passer le processus d&#8217;infection \u00e0 l&#8217;\u00e9tape suivante en exploitant le fait que gup.exe est vuln\u00e9rable au chargement lat\u00e9ral de DLL.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/cis-d\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/10\/1696132289_209_Les-Bing-Chat-Ads-de-Microsoft-alimentees-par-lIA-peuvent.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>&#8220;Le PowerShell ex\u00e9cute le binaire VBoxSVC.exe qui chargera depuis le r\u00e9pertoire actuel la DLL malveillante libcurl.dll&#8221;, a d\u00e9clar\u00e9 Desimone.  &#8220;En minimisant l&#8217;empreinte sur le disque du code malveillant crypt\u00e9, l&#8217;acteur malveillant est en mesure d&#8217;\u00e9chapper \u00e0 l&#8217;analyse AV et ML bas\u00e9e sur les fichiers.&#8221;<\/p>\n<p>Le fichier DLL falsifi\u00e9 proc\u00e8de ensuite \u00e0 l&#8217;analyse de handoff.wav, qui, \u00e0 son tour, contient une charge utile crypt\u00e9e d\u00e9cod\u00e9e et ex\u00e9cut\u00e9e via mshtml.dll, une m\u00e9thode connue sous le nom de <a rel=\"nofollow noopener\" href=\"https:\/\/www.ired.team\/offensive-security\/code-injection-process-injection\/modulestomping-dll-hollowing-shellcode-injection\" target=\"_blank\">module<\/a> <a rel=\"nofollow noopener\" href=\"https:\/\/blog.f-secure.com\/hiding-malicious-code-with-module-stomping\/\" target=\"_blank\">pi\u00e9tiner<\/a>pour finalement charger GHOSTPULSE.<\/p>\n<p>GHOSTPULSE agit comme un chargeur, employant une autre technique connue sous le nom de <a rel=\"nofollow noopener\" href=\"https:\/\/www.elastic.co\/blog\/process-ghosting-a-new-executable-image-tampering-attack\" target=\"_blank\">processus double<\/a> pour lancer l&#8217;ex\u00e9cution du malware final, qui comprend SectopRAT, Rhadamanthys, Vidar, Lumma et NetSupport RAT.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2023\/10\/hackers-using-msix-app-packages-to.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80230 octobre 2023\ue804R\u00e9dactionLogiciels malveillants\/s\u00e9curit\u00e9 des points de terminaison Une nouvelle campagne de cyberattaque a \u00e9t\u00e9 observ\u00e9e utilisant de faux MSIX Fichiers de packages d&#8217;applications Windows pour des logiciels populaires tels que Google Chrome, Microsoft Edge, Brave, Grammarly et Cisco Webex afin de distribuer un nouveau chargeur de logiciels malveillants baptis\u00e9 IMPULSION FANT\u00d4ME. &#8220;MSIX est un [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":993332,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[200292,84,4168,4165,4161,200267,28159,133,211810,36096,4159,4171,200271,211811,200268,211809,200269,200270,7309,4394,185,128318,4172,4169,10784,4166,4164,45020],"class_list":["post-993331","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-sur-la-cybersecurite","tag-avec","tag-comment-pirater","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-cyberactualites","tag-dapplications","tag-des","tag-ghostpulse","tag-infecter","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-logiciel-malveillant-rancongiciel","tag-maware","tag-mises-a-jour-sur-la-cybersecurite","tag-msix","tag-nouvelles-des-pirates","tag-nouvelles-sur-le-piratage","tag-packages","tag-pirates","tag-pour","tag-securite-des-informations","tag-securite-informatique","tag-securite-internet","tag-utilisent","tag-violation-de-donnees","tag-vulnerabilite-logicielle","tag-windows"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/993331","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=993331"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/993331\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/993332"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=993331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=993331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=993331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}