Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
A new infection technique masks the code in colors.
The Elastic Security Labs team has identified a new technique for distributing the GHOSTPULSE malware — loading data through the pixels of a PNG file. This approach is called one of the most significant changes in the operation of malware since its appearance in 2023.
Previously, GHOSTPULSE (HIJACKLOADER, IDATLOADER) hid malicious data in IDAT blocks of PNG files. And the new algorithm allows malicious data to be injected directly into the pixel structure of the image, which makes detection more difficult.
The new version is already actively used in cyberattacks where sophisticated social engineering tactics are used. An example is campaigns using LUMMA STEALER, in which the user is asked to enter a keyboard shortcut instead of the usual CAPTCHA, which leads to the execution of a script that loads and executes the GHOSTPULSE payload.
Previously, the malware was distributed as a multi-file package that included an executable file, an encrypted DLL and a PNG with an encrypted configuration. In the updated version, the whole process is simplified: one executable file contains a PNG image in the resources section.
The new version retains many of the old elements, including the Windows API hashing algorithm. The key change concerns the method of finding the configuration. Instead of an IDAT block, data is now extracted from the RGB values of the pixels. The program creates an array of bytes by traversing each pixel and extracting color values. It then searches for 16-byte blocks, where the first 4 bytes represent the CRC32 hash and the remaining 12 bytes represent the data to be verified. Matching the hash allows you to find the configuration and the XOR key to decrypt.
The current versions of GHOSTPULSE show a significantly higher level of sophistication compared to previous ones, when malware was spread through suspicious executables using SEO search engine optimization and advertising campaigns.
Such techniques allow GHOSTPULSE to bypass traditional file-centric crawlers. With Lumma actively spreading among cybercriminals, it's important to keep your security up to date. Elastic Security has updated its YARA rules and configuration extraction tool to detect and analyze GHOSTPULSE.
Source
The Elastic Security Labs team has identified a new technique for distributing the GHOSTPULSE malware — loading data through the pixels of a PNG file. This approach is called one of the most significant changes in the operation of malware since its appearance in 2023.
Previously, GHOSTPULSE (HIJACKLOADER, IDATLOADER) hid malicious data in IDAT blocks of PNG files. And the new algorithm allows malicious data to be injected directly into the pixel structure of the image, which makes detection more difficult.
The new version is already actively used in cyberattacks where sophisticated social engineering tactics are used. An example is campaigns using LUMMA STEALER, in which the user is asked to enter a keyboard shortcut instead of the usual CAPTCHA, which leads to the execution of a script that loads and executes the GHOSTPULSE payload.
Previously, the malware was distributed as a multi-file package that included an executable file, an encrypted DLL and a PNG with an encrypted configuration. In the updated version, the whole process is simplified: one executable file contains a PNG image in the resources section.
The new version retains many of the old elements, including the Windows API hashing algorithm. The key change concerns the method of finding the configuration. Instead of an IDAT block, data is now extracted from the RGB values of the pixels. The program creates an array of bytes by traversing each pixel and extracting color values. It then searches for 16-byte blocks, where the first 4 bytes represent the CRC32 hash and the remaining 12 bytes represent the data to be verified. Matching the hash allows you to find the configuration and the XOR key to decrypt.
The current versions of GHOSTPULSE show a significantly higher level of sophistication compared to previous ones, when malware was spread through suspicious executables using SEO search engine optimization and advertising campaigns.
Such techniques allow GHOSTPULSE to bypass traditional file-centric crawlers. With Lumma actively spreading among cybercriminals, it's important to keep your security up to date. Elastic Security has updated its YARA rules and configuration extraction tool to detect and analyze GHOSTPULSE.
Source
