Summary:
A recent surge in malware infections has been attributed to malvertising campaigns targeting users seeking popular business software such as Brave, KeePass, Notion, Steam, and Zoom. The attack vector involves trojanized MSIX installers, which execute PowerShell scripts upon installation of the booby-trapped software to download secondary payloads. The PowerShell script, identified as NUMOZYLOD, is linked to the threat actor UNC4536, operating under the moniker "eugenfest." This actor is part of a Malware-as-a-Service (MaaS) operation, distributing various malware strains. The MSIX installers are disguised as legitimate software and hosted on fraudulent websites, luring unsuspecting users. The malicious payload is embedded within the MSIX package and executed through the Package Support Framework (PSF) by instructing the PSF to run a script before the main application during the installation process.

Security Officer Comments:
The observed increase in malware infections delivered through trojanized MSIX installers highlights the evolving tactics employed by threat actors. The exploitation of the MSIX format's capabilities, specifically the ability to execute scripts during the installation process, demonstrates a sophisticated understanding of software packaging and distribution mechanisms. The involvement of a MaaS operation in this campaign underscores the growing commoditization of malicious tools and services within the cybercriminal ecosystem. Threat actors increasingly rely on each other for specialized services such as malware distribution and persistence methods. Utilizing the cybercrime ecosystem, APT groups like FIN7 are able to perform ransomware operations without having to surrender resources toward achieving initial access at the targeted organizations.

The use of malvertising to distribute these malicious payloads emphasizes the importance of a comprehensive, layered security approach that stresses endpoint protection and user education. Organizations should implement measures to detect and prevent malicious downloads, such as application whitelisting and user awareness training. Additionally, the discovery of multiple malware variants delivered through this attack vector indicates the need for continuous threat intelligence gathering to stay informed about emerging threats. The ability of NUMOZYLOD to gather system information and establish persistence highlights the importance of incident response capabilities to contain and eradicate such infections promptly and the criticality of network segmentation to properly secure sensitive information.

Suggested Corrections:
YARA Rules for detecting malware events are published by Mandiant here.

The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus ransomware and other malware infections. Users should adhere to the following recommendations:

• Do not open emails or download software from untrusted sources, verify the domain even if it seems like a legitimate software hosting site
• Do not click on links or attachments in emails that come from unknown senders
• Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion)
• Always verify the email sender's email address, name, and domain
• Backup important files frequently and store them separately from the main system
• Protect devices using antivirus, anti-spam, and anti-spyware software
• Report phishing emails to the appropriate security or I.T. staff immediately

Link(s):
https://thehackernews.com/2024/08/cybercriminals-exploit-popular-software.html

https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551