Ghostpulse malware loader has evolved to hide its malicious payload within pixels of a PNG image file, making it increasingly difficult to detect. This technique is part of the malware’s social engineering tactics, which also involve tricking victims into downloading and executing the payload.
Security experts say this change is “one of the most significant” updates made by Ghostpulse since its launch in 2023. The malware now constructs a byte array by extracting RGB values from pixels using standard Windows APIs, allowing it to embed malicious data within the image’s structure.
This technique is not new, but it demonstrates the continued sophistication of those behind Ghostpulse. The malware is often used as a loader for more dangerous types of malware, such as Lumma infostealer.
Lumma itself is a “potent” and “sophisticated” malware-as-a-service offering that targets various data sources, including cryptocurrency wallets, web browsers, and two-factor authentication browser extensions. Darktrace warns that access to Lumma can be purchased for around $250, with the source code costing up to $20,000.
To keep safe from Ghostpulse and Lumma, security experts recommend utilizing updated tools and techniques, such as Elastic’s YARA rules. Despite this, defenders must adapt to stay ahead of evolving threats like these.
Source: https://www.theregister.com/2024/10/22/ghostpulse_malware_loader_png/