<— Back

Beyond the Package: The New Frontier of MSIX Attack

From late 2023, we are observing various threat actors using spurious MSIX Windows app package files to distribute a wide range of malware payloads. MSIX is a Windows application package installation format enables enterprises to stay updated. IT teams and developers use it to deliver various applications within enterprises.

The threat actors behind it have been employing various tactics such as malvertising and search engine optimization poisoning to lure users into downloading Windows installers for popular web browsers, extensions and various well known software brands such as Notion, Trello, Braavos or OneNote. We have observed various financially motivated threat actors like FIN7 are misusing MSIX files as initial access vector. These threat actors are found delivering malware payloads like DarkGate, NetSupport RAT, Fakebat, Batloader, etc. Further some of these infections also lead to ransomware distributions.

Presentation will cover following points:

• Deep dive on MSIX package structure and it’s working.
  • Types of files inside package and processes involved in its working.\
  • Package support framework
• Techniques used by threat actors to abuse MSIX
• Case Study: Provide an analysis on some of attack cases observed abusing MSIX files.
  • It will include analysis of various malware components used in subsequent stages in the infection chain such as PowerShell scripts, PEEXE/PEDLL files, ZIP/GPG/7Z files, etc.
• Actions: Detection possibilities
• Key takeaway

This MSIX abusing techniques are not discussed widely so this presentation will help cybersecurity community to defend against MSIX attack campaigns.