Ghostpulse Malware Gets Stealthier: Hiding Payload in PNG Pixel Data
Ghostpulse malware, a threat first spotted in 2023, has taken a significant step towards evading detection. Security researchers at Elastic Security Labs have confirmed that the malware now hides its main payload within the pixel data of PNG image files.
PNG Images: The New Weapon for Malware Payload Delivery
This innovative technique marks a significant evolution for Ghostpulse. Previously, the malware relied on methods such as embedding payloads in PNG file’s IDAT chunk and other elusive strategies. The shift to pixel-based payload concealment makes it even harder for traditional security software to identify and block.
PNGs are a popular format for web graphics due to their lossless compression, which preserves crucial details like smooth text outlines. This characteristic makes them ideal for concealing malicious data without compromising visual integrity.
How Ghostpulse Exploits PNGs
“The malware constructs a byte array by extracting each pixel’s red, green, and blue (RGB) values sequentially using standard Windows APIs from the GdiPlus(GDI+) library,” explained Salim Bitam, a researcher at Elastic Security Labs.
“Once the byte array is built, the malware searches for the start of a structure containing the encrypted Ghostpulse configuration, including the XOR key needed for decryption.” The process involves looping through the byte array in 16-byte blocks, analyzing each block’s CRC32 hash, and identifying the location of the encrypted configuration data.
This intricate method of embedding and retrieving the payload makes it significantly harder for security tools to identify and neutralize Ghostpulse, highlighting the evolving sophistication of cyber threats.
Social Engineering and Malicious Shortcuts: Delivering the Payload
The pixel-based payload delivery mechanism works hand-in-hand with sophisticated social engineering tactics to infect victims.
Bitam noted that victims are lured to attacker-controlled websites through deceptive emails or other channels. On these sites, they are tricked into performing actions that copy malicious JavaScript code to their clipboard.
This script, disguised as a routine CAPTCHA validation, instructs victims to enter specific keyboard shortcuts. When executed, this action leads to the download and execution of the Ghostpulse payload via a PowerShell script.
Ghostpulse’s Growing Threat Level
Ghostpulse’s evolution raises serious concerns about its evolving threat level. The malware is often used to deploy other dangerous threats, such as the Lumma infostealer, which can steal sensitive data, including cryptocurrency wallets and passwords.
Cyfirma has highlighted Lumma’s effectiveness and sophistication as a malware-as-a-service offering, available for as little as $250.
The recent methods employed by Ghostpulse demonstrate the continually evolving nature of cyber threats. Organisations must stay vigilant and adopt robust security measures to protect themselves from these sophisticated attacks.
Staying Safe from Ghostpulse and Lumma
Elastic has released YARA rules to help detect Ghostpulse at various stages of its attack cycle. Keeping these rules updated is crucial for maintaining effective protection.
Furthermore, being aware of social engineering tactics, being cautious about clicking on unfamiliar links, and practicing strong password hygiene are essential preventive measures against malware threats like Ghostpulse and Lumma.
**Don’t fall victim to Ghostpulse. Enhance your cybersecurity defenses today!**
Worth a look