<img src=”https://cdn.mos.cms.futurecdn.net/tfTPM2h23pWZ3334EbhVKT.jpg” />

Cybersecurity researchers from Elastic Security have uncovered a new version of the infamous Ghostpulse malware hiding in the pixels of a .PNG file.

In their technical write-up, the researchers explained the malware’s operators continue to demonstrate incredible levels of creativity and knowledge, as they find new ways to distribute the malware and hide it from Antivirus programs and endpoint protection solutions.

The move marks a major shift from Ghostpulse’s previous obfuscation technique, which included abusing the IDAT chunk of PNG files to hide malicious payloads, it was said.

Reading PNG files

To infect the victim with the malware, the crooks would first use social engineering to trick the victim into visiting an attacker-controlled website. There, the visitor would be presented with what appeared to be your standard CAPTCHA. However, instead of finding images of a dog or a fire hydrant, the visitors are asked to press a specific keyboard shortcut, which copies a malicious piece of JavaScript code into the clipboard.

That code triggers a PowerShell script that downloads and runs the Ghostpulse payload.

The payload is a single file – a “benign but compromised executable file” that includes a PNG file within its resources section. The malware works by looking at the specific pixels and reading their color to collect information hidden inside. The colors are broken into small chunks of data, which are then checked using a type of “math test” to see if they contain hidden malware instructions.

If they pass the test, the malware gathers the information, and uses XOR to unlock and use the hidden instructions, ultimately infecting the endpoint.

Ghostpulse is usually used as a loader, deploying more dangerous malware to the compromised systems. Elastic Security found that most of the time, the crooks use it to deploy the Lumma infostealer.

Via The Register

More from TechRadar Pro

Share.
Exit mobile version