The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023.
The image file format is popularly used for web graphics and is often picked in preference to a lossy compression JPG file because it is a lossless format and retains key details such as smooth text outlines.
Elastic Security Labs' Salim Bitam noted that Ghostpulse is often used in campaigns as a loader for more dangerous types of malware such as the
Lumma infostealer, and that the latest change makes it even more difficult to detect.
Previous versions of Ghostpulse were also difficult to detect and used sneaky methods such as hiding payloads in a PNG file's IDAT chunk. However, it now parses the image's pixels, embedding the malicious data within the structure.
"The malware constructs a byte array by extracting each pixel's red, green, and blue (RGB) values sequentially using standard Windows APIs from the GdiPlus(GDI+) library," Bitam said. "Once the byte array is built, the malware searches for the start of a structure that contains the encrypted Ghostpulse configuration, including the XOR key needed for decryption.
"It does this by looping through the byte array in 16-byte blocks. For each block, the first four bytes represent a CRC32 hash, and the next 12 bytes are the data to be hashed. The malware computes the CRC32 of the 12 bytes and checks if it matches the hash. If a match is found, it extracts the offset of the encrypted Ghostpulse configuration, its size, and the four-byte XOR key, and then XOR decrypts it."
Ghostpulse is far from the first malware strain to
hide its malicious files within pixels. However, the finding speaks to the consistent craftiness exhibited by those behind it.
The technique goes hand-in-hand with the social engineering techniques used to download the file in the first place. Bitam said victims are tricked into visiting an attacker-controlled website and validating what appears to be a routine
CAPTCHA.
However, instead of checking a box or a series of images matching a prompt, victims are instructed to enter specific keyboard shortcuts that copy malicious
JavaScript to the user's clipboard. From there, a PowerShell script is run that downloads and executes the Ghostpulse payload.
www.theregister.com
