This sneaky Ghostpulse malware hides in PNG image files
Ghostpulse deploys a dangerous infostealer
· TechRadarNews By Sead Fadilpašić published 22 October 2024
Cybersecurity researchers from Elastic Security have uncovered a new version of the infamous Ghostpulse malware hiding in the pixels of a .PNG file.
In their technical write-up, the researchers explained the malware’s operators continue to demonstrate incredible levels of creativity and knowledge, as they find new ways to distribute the malware and hide it from antivirus programs and endpoint protection solutions.
The move marks a major shift from Ghostpulse’s previous obfuscation technique, which included abusing the IDAT chunk of PNG files to hide malicious payloads, it was said.
Reading PNG files
To infect the victim with the malware, the crooks would first use social engineering to trick the victim into visiting an attacker-controlled website. There, the visitor would be presented with what appeared to be your standard CAPTCHA. However, instead of finding images of a dog or a fire hydrant, the visitors are asked to press a specific keyboard shortcut, which copies a malicious piece of JavaScript code into the clipboard.
That code triggers a PowerShell script that downloads and runs the Ghostpulse payload.
The payload is a single file - a “benign but compromised executable file” that includes a PNG file within its resources section. The malware works by looking at the specific pixels and reading their color to collect information hidden inside. The colors are broken into small chunks of data, which are then checked using a type of “math test” to see if they contain hidden malware instructions.
If they pass the test, the malware gathers the information, and uses XOR to unlock and use the hidden instructions, ultimately infecting the endpoint.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors