hack.lu

The rise of malicious MSIX file
10-19, 14:30–15:00 (Europe/Luxembourg), Salle Europe

Since February 2023, we have observed an attack campaign using MSIX files. MSIX file is the successor format to MSI file, but many people are unaware of its existence and, needless to say, do not know of any abuse cases.

This session will first introduce basic information on MSIX file, such as the file format, basic behavior, and the creation method, followed by attack cases of MSIX file abuse. Specifically, we will detail attacks conducted by a financially motivated threat group called SteelClover. In particular, we will delve into the Package Support Framework (PSF). Our session will contribute to your better understanding of the attack flow and the behavior through specific attack cases abusing MSIX files.

Finally, we will discuss detection and defense techniques, including the detection logics available for EDR solutions, against attacks that exploit MSIX files. This session will enable SOC analysts, IR team members, CSIRT personnel, and others to gain a deep understanding of the specific attack cases and behavior abusing MSIX files and to take concrete countermeasures.


Basics of MSIX file

First, we will present a basics of MSIX file, including how it was devised, what features it provides, and its file format and the behavior. We will also cover how to create MSIX files and its third-party builders. In addition, this chapter will provide what the Package Support Framework is and how it can be exploited by threat actors.

Attack Cases

In this chapter, we will detail specific attack cases of MSIX file abuse. In particular, we will share attack cases by an attack group we call SteelClover. SteelClover, also known as DEV-0569 or Water Minyades, is a financially motivated threat group that has been active since around 2019. This attack group delivers malware through Exploit Kit or fake software distribution starting with a malvertising. We have confirmed that they began abusing MSIX files in March 2023. This chapter will briefly offer basic information on SteelClover and victimology, and then share specific attack flows. Additionally, we will show a detailed process tree and our analysis result of how a malicious MSIX file is delivered to a potential victim user, and how it causes a compromise when executed. This gives the audience an in-depth understanding of actual attack cases that exploit MSIX files.

Defense

This chapter will focus on defenses against attacks that exploit MSIX files. For example, it will provide interesting characteristics of file creation, process creation, and other behaviors, along with specific detection logic to detect these behaviors. MSIX files have many characteristic behaviors, and without knowing them, it is extremely difficult to understand the nature of the breach. This chapter will enable the audience to know how to protect your own organization against MSIX file abuses and to take concrete actions.

Wrap-Up

Finally, we will wrap up our presentation. Based on specific attack cases of compromise using MSIX files, we will consider defensive measures to protect one's own organization from such threats. This session will help the audience gain a basic overview of an MSIX file and a deeper understanding of attack cases that exploit MSIX files, and to take concrete countermeasures.

Appendix: IoCs

We will list the IoCs of the malicious MSIX files presented in this session.

Shogo Hayashi is a security analyst at NTT Security Holdings. His main specialization is responding to EDR detections, creating IoCs, analyzing malware and research cyber threat. He is a cofounder of SOCYETI, an organization for sharing threat information and analysis technique to SOC analysts in Japan. He has spoken at JSAC, VB, SAS, CODE BLUE and has written several white papers and blogs.

Rintaro Koike is a security analyst at NTT Security Holdings. He is engaged in threat research and malware analysis. In addition, he is a founder of "nao_sec" and is in charge of threat research. He focuses on APT attacks targeting East Asia and web-based attacks. He has been a speaker at VB, SAS, AVAR, Black Hat USA Arsenal and others.