GHOSTPULSE Conceals Itself in PNG Files to Avoid Detection

GHOSTPULSE has evolved its obfuscation technique, now embedding encrypted data within PNG pixel structures, as malicious campaigns employ social engineering tactics like CAPTCHA-triggered keyboard shortcut commands to deliver this payload. 

It has recently evolved to embed malicious data directly within the pixel structure of PNG files instead of using the IDAT chunk, which makes it harder to detect the malware using traditional methods.

Recent cyberattacks have employed social engineering tactics to lure victims into executing malicious PowerShell scripts through deceptive CAPTCHA validation processes. 

These scripts are responsible for downloading and executing GHOSTPULSE payloads, which are a common malware loader that is utilized in a variety of computer crime operations. 

Social engineer lure website

It has evolved from a multi-file package to a single, self-contained executable, as the latest version embeds the encrypted configuration PNG file within its resources, simplifying deployment and potentially obfuscating malicious activity.

The malware’s second stage has been updated to use a different configuration location method while retaining its hashing algorithm for resolving Windows API names, which primarily affects how the malware finds its payload and deployment instructions.

Pseudocode code comparison between old and new algorithm

By searching for the IDAT string followed by a particular 4-byte tag, the GHOSTPULSE malware is able to find encrypted data chunks in PNG files and parse them. 

In the event that the tag is a match, the encrypted chunk is extracted, and this process is repeated for subsequent IDAT strings until the entire encrypted payload is collected.

The malware extracts RGB values from an image to create a byte array and then searches for a specific structure within this array using CRC32 hashing. Once found, it extracts the encrypted GHOSTPULSE configuration, including the XOR key, and decrypts it using the key.

visual breakdown of the process

The updated YARA rules detect the GHOSTPULSE Trojan by identifying specific byte sequences within the malware’s code, where the first rule, Windows_Trojan_GHOSTPULSE_1, searches for patterns related to the first and second stages of the infection. 

While the second rule, Windows_Trojan_GHOSTPULSE_2, focuses on a specific sequence within the malware’s execution, these rules are designed to prevent the final stage of the GHOSTPULSE infection.

According to Elastic Security Labs, GHOSTPULSE malware employs novel data embedding within pixel structures to evade detection, highlighting the ongoing arms race between attackers and defenders who require updated tools and collaborative threat intelligence. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here