Since February 2023, we have observed an attack campaign using MSIX files. MSIX file is the successor format to MSI file, but many people are unaware of its existence and, needless to say, do not know of any abuse cases.

This session will first introduce basic information on MSIX file, such as the file format, basic behavior, and the creation method, followed by attack cases of MSIX file abuse. Specifically, we will detail attacks conducted by a financially motivated threat group called SteelClover. In particular, we will delve into the Package Support Framework (PSF). Our session will contribute to your better understanding of the attack flow and the behavior through specific attack cases abusing MSIX files.

Finally, we will discuss detection and defense techniques, including the detection logics available for EDR solutions, against attacks that exploit MSIX files. This session will enable SOC analysts, IR team members, CSIRT personnel, and others to gain a deep understanding of the specific attack cases and behavior abusing MSIX files and to take concrete countermeasures.