Tricks and Treats: New Pixel-Level Deception

Oct. 21, 2024, 9:53 a.m.

Description

GHOSTPULSE malware has evolved to embed malicious data within pixel structures of PNG files, replacing its previous IDAT chunk technique. Recent campaigns involve social engineering tactics, tricking victims with CAPTCHA validations that trigger malicious commands through keyboard shortcuts. The malware now parses image pixels to retrieve its configuration and payload, using a CRC32 hash for verification. Elastic Security has updated its YARA rules and configuration extractor tool to detect and analyze both old and new versions. The new approach streamlines deployment to a single compromised executable with the PNG file in its resources section.

External References

https://www.elastic.co/security-labs/tricks-and-treats
https://otx.alienvault.com/pulse/6712cd0fbcc338237b42c59c
Tags
social engineering
lumma stealer
captcha
2024-10-18
ghostpulse
keyboard shortcuts
yara rules
configuration extractor
pixel-level deception
png files
crc32
gdi+

Date

  • Created: Oct. 18, 2024, 9:03 p.m.
  • Published: Oct. 18, 2024, 9:03 p.m.
  • Modified: Oct. 21, 2024, 9:53 a.m.

Indicators

  • vozmeatillu.shop
  • stogeneratmns.shop
  • riderratttinow.shop
  • reinforcenh.shop
  • offensivedzvju.shop
  • gutterydhowi.shop
  • ghostreedmnu.shop
  • fragnantbui.shop
  • drawzhotdog.shop
Download all indicators here!

Attack Patterns

  • GHOSTPULSE
  • Lumma Stealer
  • GHOSTPULSE
  • T1027.003
  • T1027.002
  • T1204.001
  • T1059.001
  • T1566.002
  • T1547.001
  • T1055
  • T1140
  • T1027