Malware

GHOSTPULSE Hides Within PNG File Pixel Structure To Evade Detections

Recent campaigns targeting victims through social engineering tactics utilize LUMMA STEALER with GHOSTPULSE as its loader.

By tricking victims into executing a series of Windows keyboard shortcuts, malicious JavaScript is executed, leading to the execution of a PowerShell script. 

The script downloads and executes a GHOSTPULSE payload, which is now a single executable file containing the encrypted configuration within its resources section. This simplifies the malware’s deployment process.

Large embedded PNG file in the resources sectionLarge embedded PNG file in the resources section
Large embedded PNG file in the resources section

It has undergone a significant update, primarily affecting its configuration retrieval method, where previously, it would extract encrypted data from a PNG file by searching for specific markers and tags, which involved sequentially parsing the file and extracting chunks based on matching identifiers. 

Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here 

The new version implements a more complex approach, likely involving different hashing algorithms and data structures to locate and retrieve the configuration.

This approach aims to enhance the malware’s resilience against detection and analysis, making it more difficult to track and mitigate its impact.

Pseudocode code comparison between old and new algorithm

The malware encrypts its configuration within the pixels of an image, which extracts the RGB values from each pixel to construct a byte array.

By iterating through the byte array in 16-byte blocks and comparing CRC32 hashes, the malware locates the encrypted GHOSTPULSE configuration. 

It then extracts the configuration’s offset, size, and XOR key. It decrypts it using the XOR algorithm, effectively hiding the malware’s configuration within the image, making it more difficult to detect and analyze.

visual breakdown of the process

Researchers enhanced the configuration extractor to accommodate both GHOSTPULSE versions, which refined the tool to process PNG files and extract their embedded payloads. 

The updated YARA rules for GHOSTPULSE detection, released by Elastic Security, are designed to identify the malware’s second stage of infection, which will be incorporated into Elastic Defend in a future update, focusing on specific byte sequences within the malware’s executable. 

Rule Windows_Trojan_GHOSTPULSE_1 targets unique byte patterns found in the second stage, while rule Windows_Trojan_GHOSTPULSE_2 identifies a specific sequence of instructions related to the malware’s execution flow.

These rules effectively prevent the malware from completing its malicious activities by detecting these patterns.

The GHOSTPULSE malware family has undergone significant evolution since its 2023 debut, as the recent update represents a major overhaul, demanding adaptive countermeasures from defenders. 

The landscape of cyber threats is constantly shifting, and to keep up with the changes, collaboration and innovation are still necessary for secure protection.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide (PDF)

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

6 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

7 hours ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

7 hours ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

7 hours ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

7 hours ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

7 hours ago