Pixel perfect Ghostpulse malware loader hides inside PNG image files
The Ghostpulse malware strain now retrieves its main payload via a PNG image file’s pixels. This development, security experts say, is “one of the most significant changes” made by the crooks behind it since launching in 2023.
The image file format is popularly used for web graphics and is often picked in preference to a lossy compression JPG file because it is a lossless format and retains key details such as smooth text outlines.
Elastic Security Labs’ Salim Bitam noted that Ghostpulse is often used in campaigns as a loader for more dangerous types of malware such as the Lumma infostealer, and that the latest change makes it even more difficult to detect.
Previous versions of Ghostpulse were also difficult to detect and used sneaky methods such as hiding payloads in a PNG file’s IDAT chunk. However, it now parses the image’s pixels, embedding the malicious data within the structure.
“The malware constructs a byte array by extracting each pixel’s red, green, and blue (RGB) values sequentially using standard Windows APIs from the GdiPlus(GDI+) library,” Bitam said. “Once the byte array is built, the malware searches for the start of a structure that contains the encrypted Ghostpulse configuration, including the XOR key needed for decryption.
“It does this by looping through the byte array in 16-byte blocks. For each block, the first four bytes represent a CRC32 hash, and the next 12 bytes are the data to be hashed. The malware computes the CRC32 of the 12 bytes and checks if it matches the hash. If a match is found, it extracts the offset of the encrypted Ghostpulse configuration, its size, and the four-byte XOR key, and then XOR decrypts it.”
Ghostpulse is far from the first malware strain to hide its malicious files within pixels. However, the finding speaks to the consistent craftiness exhibited by those behind it.
The technique goes hand-in-hand with the social engineering techniques used to download the file in the first place. Bitam said victims are tricked into visiting an attacker-controlled website and validating what appears to be a routine CAPTCHA.
However, instead of checking a box or a series of images matching a prompt, victims are instructed to enter specific keyboard shortcuts that copy malicious JavaScript to the user’s clipboard. From there, a PowerShell script is run that downloads and executes the Ghostpulse payload.
McAfee recently spotted the same method being used to drop Lumma, but didn’t reference Ghostpulse’s involvement. Its researchers noted that GitHub users were being targeted specifically using emails purportedly asking them to fix a non-existent security vulnerability.
The sophistication here is far greater than what the cybercriminals behind Ghostpulse demonstrated in early versions, which relied on victims downloading dodgy executables following SEO poisoning or malvertising efforts.
Using these techniques, the malware does a good job of evading simple, file-based malware scanning methods and, given how pervasive Lumma is among cybercriminals, it’s a good idea to ensure defenses are ready to block it.
Cyfirma’s experts describe Lumma as a “potent” and “sophisticated” malware-as-a-service offering that’s been around since 2022. It targets all kinds of data including sensitive types and sources such as cryptocurrency wallets, web browsers, email clients, and two-factor authentication browser extensions.
According to Darktrace, access to Lumma can be purchased for as little as $250 – a price that can rise to $20,000 for the source code.
It’s often distributed via trojanized downloads for popular software, and the myriad campaigns using it have posed as various organizations from ChatGPT to CrowdStrike just days after its update nightmare.
“Mirroring the general emergence and rise of information stealers across the cyber threat landscape, Lumma stealer continues to represent a significant concern to organizations and individuals alike,” Darktrace said.
Reg readers may also remember that Lumma was also fingered as one of the infostealers that exploited a Google zero-day to maintain access to compromised accounts even after passwords were changed.
If you implemented the YARA rules Elastic released last year, these will still be enough to keep your organization safe from the malware’s final infection stage, Bitam said, although it recently released some updated ones to catch Ghostpulse in the act sooner.
“In summary, the Ghostpulse malware family has evolved since its release in 2023, with this recent update marking one of the most significant changes,” said Bitam. “As attackers continue to innovate, defenders must adapt by utilizing updated tools and techniques to mitigate these threats effectively.” ®
READ MORE HERE