Source URL: https://www.theregister.com/2024/10/22/ghostpulse_malware_loader_png/
Source: The Register
Title: Pixel perfect Ghostpulse malware loader hides inside PNG image files
Feedly Summary: Miscreants combine it with an equally tricky piece of social engineering
The Ghostpulse malware strain now retrieves its main payload via a PNG image file’s pixels. This development, security experts say, is “one of the most significant changes" made by the crooks behind it since launching in 2023.…
AI Summary and Description: Yes
Summary: The text discusses the evolution of the Ghostpulse malware, highlighting its sophisticated technique of embedding malicious payloads within the pixels of PNG images. This new method complicates detection efforts and aligns with broader trends in malware development, particularly with the information stealer Lumma. The text serves as a cautionary note for security professionals to update their defenses against these advanced threats.
Detailed Description:
– **Ghostpulse Malware Evolution**: The latest version of Ghostpulse retrieves its main payload through the pixels of PNG image files, making it harder to detect compared to earlier methods that involved embedding payloads in an image’s IDAT chunk.
– **Stealthy Techniques**: The malware uses the Windows GDI+ API to extract RGB values from each pixel and constructs a byte array that helps locate and decrypt its configuration.
– **Social Engineering**: Victims are tricked into executing a PowerShell script that runs the malware by being instructed to perform specific keyboard shortcuts during what appears to be a routine CAPTCHA challenge. This level of social engineering significantly raises the attack’s sophistication.
– **Connection to Lumma Infostealer**: Ghostpulse is frequently associated with Lumma, another strain known for targeting sensitive data across various platforms including cryptocurrency wallets and two-factor authentication extensions.
– **Malware Distribution**: The text also references how Lumma is often spread through trojanized software, making it essential for users to be vigilant about software sources.
– **Defensive Measures**: The importance of adapting defenses through updated YARA rules and detection methods is stressed, recognizing that as malware techniques evolve, so must the approaches to counter them.
**Key Points:**
– Reflection of malware’s increasing sophistication and complexity.
– Highlight of the need for continuous adaptation in cybersecurity practices.
– Emphasis on the blend of social engineering and technical evasion tactics in modern malware.
The text serves as a critical update for security professionals, reinforcing the necessity for ongoing vigilance and advanced defensive strategies against evolving threats like Ghostpulse and Lumma.