Today > | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

Tricks and Treats: New Pixel-Level Deception

Oct. 21, 2024, 9:53 a.m.

Description

GHOSTPULSE malware has evolved to embed malicious data within pixel structures of PNG files, replacing its previous IDAT chunk technique. Recent campaigns involve social engineering tactics, tricking victims with CAPTCHA validations that trigger malicious commands through keyboard shortcuts. The malware now parses image pixels to retrieve its configuration and payload, using a CRC32 hash for verification. Elastic Security has updated its YARA rules and configuration extractor tool to detect and analyze both old and new versions. The new approach streamlines deployment to a single compromised executable with the PNG file in its resources section.

Date

Published: Oct. 18, 2024, 9:03 p.m.

Created: Oct. 18, 2024, 9:03 p.m.

Modified: Oct. 21, 2024, 9:53 a.m.

Indicators

vozmeatillu.shop

stogeneratmns.shop

riderratttinow.shop

reinforcenh.shop

offensivedzvju.shop

gutterydhowi.shop

ghostreedmnu.shop

fragnantbui.shop

drawzhotdog.shop

Attack Patterns

GHOSTPULSE

Lumma Stealer

GHOSTPULSE

T1027.003

T1027.002

T1204.001

T1059.001

T1566.002

T1547.001

T1055

T1140

T1027