This sneaky Ghostpulse malware hides in PNG image files
Ghostpulse deploys a dangerous infostealer
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybersecurity researchers from Elastic Security have uncovered a new version of the infamous Ghostpulsemalwarehiding in the pixels of a .PNG file.
In their technical write-up, the researchers explained the malware’s operators continue to demonstrate incredible levels of creativity and knowledge, as they find new ways to distribute the malware and hide it fromantivirusprograms andendpoint protectionsolutions.
The move marks a major shift from Ghostpulse’s previous obfuscation technique, which included abusing the IDAT chunk of PNG files to hide malicious payloads, it was said.
Reading PNG files
To infect the victim with the malware, the crooks would first use social engineering to trick the victim into visiting an attacker-controlled website. There, the visitor would be presented with what appeared to be your standard CAPTCHA. However, instead of finding images of a dog or a fire hydrant, the visitors are asked to press a specific keyboard shortcut, which copies a malicious piece of JavaScript code into the clipboard.
That code triggers a PowerShell script that downloads and runs the Ghostpulse payload.
The payload is a single file - a “benign but compromised executable file” that includes a PNG file within its resources section. The malware works by looking at the specific pixels and reading their color to collect information hidden inside. The colors are broken into small chunks of data, which are then checked using a type of “math test” to see if they contain hidden malware instructions.
If they pass the test, the malware gathers the information, and uses XOR to unlock and use the hidden instructions, ultimately infecting the endpoint.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Ghostpulse is usually used as a loader, deploying more dangerous malware to the compromised systems. Elastic Security found that most of the time, the crooks use it to deploy the Lumma infostealer.
ViaThe Register
More from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Sonos Arc Ultra review: the best one-box Dolby Atmos soundbar for the price, with one grating flaw
