GHOSTPULSE Hides Within PNG File Pixel Structure To Evade Detections

Recent campaigns targeting victims through social engineering tactics utilize LUMMA STEALER with GHOSTPULSE as its loader.

By tricking victims into executing a series of Windows keyboard shortcuts, malicious JavaScript is executed, leading to the execution of a PowerShell script. 

The script downloads and executes a GHOSTPULSE payload, which is now a single executable file containing the encrypted configuration within its resources section. This simplifies the malware’s deployment process.

It has undergone a significant update, primarily affecting its configuration retrieval method, where previously, it would extract encrypted data from a PNG file by searching for specific markers and tags, which involved sequentially parsing the file and extracting chunks based on matching identifiers. 

Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here 

The new version implements a more complex approach, likely involving different hashing algorithms and data structures to locate and retrieve the configuration.

This approach aims to enhance the malware’s resilience against detection and analysis, making it more difficult to track and mitigate its impact.

The malware encrypts its configuration within the pixels of an image, which extracts the RGB values from each pixel to construct a byte array.

By iterating through the byte array in 16-byte blocks and comparing CRC32 hashes, the malware locates the encrypted GHOSTPULSE configuration. 

It then extracts the configuration’s offset, size, and XOR key. It decrypts it using the XOR algorithm, effectively hiding the malware’s configuration within the image, making it more difficult to detect and analyze.

Researchers enhanced the configuration extractor to accommodate both GHOSTPULSE versions, which refined the tool to process PNG files and extract their embedded payloads. 

The updated YARA rules for GHOSTPULSE detection, released by Elastic Security, are designed to identify the malware’s second stage of infection, which will be incorporated into Elastic Defend in a future update, focusing on specific byte sequences within the malware’s executable. 

Rule Windows_Trojan_GHOSTPULSE_1 targets unique byte patterns found in the second stage, while rule Windows_Trojan_GHOSTPULSE_2 identifies a specific sequence of instructions related to the malware’s execution flow.

These rules effectively prevent the malware from completing its malicious activities by detecting these patterns.

The GHOSTPULSE malware family has undergone significant evolution since its 2023 debut, as the recent update represents a major overhaul, demanding adaptive countermeasures from defenders. 

The landscape of cyber threats is constantly shifting, and to keep up with the changes, collaboration and innovation are still necessary for secure protection.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide (PDF)