PNG files are popular and widely used on the internet, making them a tempting target for threat actors. They can hide malicious code in these files using techniques like steganography.
Recently, researchers at Elastic Security Labs discovered that GHOSTPULSE malware hides within the pixel structure of PNG files to avoid detection.
GHOSTPULSE Malware
The GHOSTPULSE malware family, also known as “HIJACKLOADER” or “IDATLOADER,” has evolved significantly since its discovery in 2023. Initially hiding malicious payloads in the “IDAT chunks” of PNG files, the latest version now embeds its “configuration” and “payload” directly within image pixels.
This new method uses the “RED,” “GREEN,” and “BLUE” (RGB) values of each pixel, which are extracted in order using Windows GDI+ library APIs.
The malware creates a “byte array” from these values and looks for a specific structure that contains its “encrypted configuration.” It does this by analyzing “16-byte blocks,” where the first 4 bytes are a “CRC32 hash” and the next 12 bytes contain the data to be hashed.
When a match is found, GHOSTPULSE extracts the “offset,” “size,” and “4-byte XOR key” for the encrypted configuration and then decrypts it.
This pixel-based method is a major shift from the previous “IDAT chunk” technique, making it harder for the malware to be detected.
Recent campaigns have simplified the deployment of GHOSTPULSE by packaging it as a single compromised executable with an embedded PNG file, instead of using the earlier multi-file approach. The GHOSTPULSE malware family has evolved significantly since its discovery.
In response, researchers at Elastic Security Labs improved their “configuration extractor tool” to work with both the original and updated versions of GHOSTPULSE.
This specialized tool analyzes PNG image files used by the malware to hide and extract the malicious payload.
The original YARA rule in Elastic Defend still works against the first stage of infection, and researchers have developed new YARA rules to detect the updated GHOSTPULSE variant.
The updated configuration extractor helps researchers understand and combat this sophisticated threat by providing crucial insights into the malware’s evolving tactics and supporting the analysis of both GHOSTPULSE versions. This highlights the need for continuous adaptation in cybersecurity to stay ahead of increasingly innovative attack methods.
IOCs
| Observable | Type | Name | Reference |
|---|---|---|---|
57ebf79c384366162cb0f13de0de4fc1300ebb733584e2d8887505f22f877077 | SHA-256 | Setup.exe | GHOSTPULSE sample |
b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae | SHA-256 | Setup_light.exe | GHOSTPULSE sample |
winrar01.b-cdn[.]net | domain-name | Infrastructure hosting GHOSTPULSE sample | |
reinforcenh[.]shop | domain-name | LUMMASTEALER C2 | |
stogeneratmns[.]shop | domain-name | LUMMASTEALER C2 | |
fragnantbui[.]shop | domain-name | LUMMASTEALER C2 | |
drawzhotdog[.]shop | domain-name | LUMMASTEALER C2 | |
vozmeatillu[.]shop | domain-name | LUMMASTEALER C2 | |
offensivedzvju[.]shop | domain-name | LUMMASTEALER C2 | |
ghostreedmnu[.]shop | domain-name | LUMMASTEALER C2 | |
gutterydhowi[.]shop | domain-name | LUMMASTEALER C2 | |
riderratttinow[.]shop | domain-name | LUMMASTEALER C2 |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment