Tricks and Treats: New Pixel-Level Deception
Oct. 21, 2024, 9:53 a.m.
Tags
External References
Description
GHOSTPULSE malware has evolved to embed malicious data within pixel structures of PNG files, replacing its previous IDAT chunk technique. Recent campaigns involve social engineering tactics, tricking victims with CAPTCHA validations that trigger malicious commands through keyboard shortcuts. The malware now parses image pixels to retrieve its configuration and payload, using a CRC32 hash for verification. Elastic Security has updated its YARA rules and configuration extractor tool to detect and analyze both old and new versions. The new approach streamlines deployment to a single compromised executable with the PNG file in its resources section.
Date
Published: Oct. 18, 2024, 9:03 p.m.
Created: Oct. 18, 2024, 9:03 p.m.
Modified: Oct. 21, 2024, 9:53 a.m.
Indicators
vozmeatillu.shop
stogeneratmns.shop
riderratttinow.shop
reinforcenh.shop
offensivedzvju.shop
gutterydhowi.shop
ghostreedmnu.shop
fragnantbui.shop
drawzhotdog.shop
Attack Patterns
GHOSTPULSE
Lumma Stealer
GHOSTPULSE
T1027.003
T1027.002
T1204.001
T1059.001
T1566.002
T1547.001
T1055
T1140
T1027