GHOSTPULSE Hides Inside PNG File Pixel Construction To Evade Detections
The recognition of PNG information mixed with their widespread use on the web makes them a lovely vector for menace actors. In addition they goal PNG information primarily as a result of they will cover malicious code utilizing methods like “steganography.”
Elastic safety labs researchers lately found that GHOSTPULSE malware hides inside PNG file pixel construction to evade detections.
The GHOSTPULSE malware household (aka “HIJACKLOADER” or “IDATLOADER”) has considerably advanced since its discovery in 2023. Initially, it hid malicious payloads within the “IDAT chunks” of PNG information.
Nonetheless, the newest model employs a extra refined approach by embedding its “configuration” and “payload” instantly inside picture pixels.
Be a part of ANY.RUN's FREE webinar on Find out how to Enhance Risk Investigations on Oct 23 - Register Here
This new methodology makes use of the “RED,” “GREEN,” and “BLUE” (‘RGB’) values of every pixel that’s extracted “sequentially” utilizing Home windows “GDI+ library APIs.”
The malware constructs a “byte array” from these values and searches for a particular construction containing its “encrypted configuration.”
It does this by analyzing “16-byte blocks,” and right here, the primary 4 bytes signify a “CRC32 hash,” whereas the following “12 bytes” comprise the info to be hashed.
Upon discovering a match, the “GHOSTPULSE” extracts the “offset,” “dimension,” and “4-byte XOR key” for the encrypted configuration, then decrypts it.
This pixel-based algorithm marks a major departure from the earlier “IDAT chunk” approach by enhancing the flexibility of the malware to evade detection.
Latest campaigns have streamlined the deployment of the GHOSTPULSE by packaging it as a “single compromised executable” with an embedded PNG file in its assets part relatively than the sooner “multi-file method.” The GHOSTPULSE malware household has undergone vital evolution since its discovery.
In response, researchers at Elastic safety labs enhanced their “configuration extractor device” to assist each the “authentic” and “up to date” variations of GHOSTPULSE.
This specialised device analyzes “PNG picture information,” which the malware makes use of for “hiding,” and “extracting” the embedded malicious payload.
For detection, the unique YARA rule built-in into Elastic Defend stays efficient towards the preliminary stage of an infection. Moreover this, researchers have developed “new YARA guidelines” to establish the “up to date GHOSTPULSE variant.”
The up to date configuration extractor permits researchers to “higher perceive” and “fight this refined menace.”
The device offers “essential insights” into the malware’s evolving ways by supporting evaluation of each “GHOSTPULSE” variations.
This improvement highlights the significance of steady adaptation in cybersecurity, as analysts search to remain forward of “more and more revolutionary assault strategies.”
Free Webinar on Find out how to Defend Small Companies In opposition to Superior Cyberthreats -> Watch Here