The popularity of PNG files combined with their widespread use on the internet makes them an attractive vector for threat actors. They also target PNG files primarily because they can hide malicious code using techniques like “steganography.”
Elastic security labs researchers recently discovered that GHOSTPULSE malware hides within PNG file pixel structure to evade detections.
The GHOSTPULSE malware family (aka “HIJACKLOADER” or “IDATLOADER”) has significantly evolved since its discovery in 2023. Initially, it hid malicious payloads in the “IDAT chunks” of PNG files.
However, the latest version employs a more sophisticated technique by embedding its “configuration” and “payload” directly within image pixels.
Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here
This new method uses the “RED,” “GREEN,” and “BLUE” (‘RGB’) values of each pixel that is extracted “sequentially” using Windows “GDI+ library APIs.”
The malware constructs a “byte array” from these values and searches for a specific structure containing its “encrypted configuration.”
It does this by analyzing “16-byte blocks,” and here, the first 4 bytes represent a “CRC32 hash,” while the next “12 bytes” contain the data to be hashed.
Upon finding a match, the “GHOSTPULSE” extracts the “offset,” “size,” and “4-byte XOR key” for the encrypted configuration, then decrypts it.
This pixel-based algorithm marks a significant departure from the previous “IDAT chunk” technique by enhancing the ability of the malware to evade detection.
Recent campaigns have streamlined the deployment of the GHOSTPULSE by packaging it as a “single compromised executable” with an embedded PNG file in its resources section rather than the earlier “multi-file approach.” The GHOSTPULSE malware family has undergone significant evolution since its discovery.
In response, researchers at Elastic security labs enhanced their “configuration extractor tool” to support both the “original” and “updated” versions of GHOSTPULSE.
This specialized tool analyzes “PNG image files,” which the malware uses for “hiding,” and “extracting” the embedded malicious payload.
For detection, the original YARA rule integrated into Elastic Defend remains effective against the initial stage of infection. Besides this, researchers have developed “new YARA rules” to identify the “updated GHOSTPULSE variant.”
The updated configuration extractor enables researchers to “better understand” and “combat this sophisticated threat.”
The tool provides “crucial insights” into the malware’s evolving tactics by supporting analysis of both “GHOSTPULSE” versions.
This development highlights the importance of continuous adaptation in cybersecurity, as analysts seek to stay ahead of “increasingly innovative attack methods.”
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here