Pixel perfect Ghostpulse malware loader hides inside PNG image files The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023. The image file format is popularly used for web graphics and is often picked in preference to a lossy …
> For one horrible moment there I though that some idiot had decided that PNG files were executables. Now I read it a second time, I see that the nasty is in the remote script - I assume Windows only - run by the duped user.
Exactly. Sounds to me like the 'PNG' angle is just the command channel to an already compromised host, not an attack vector. Won't stop the dibbles banning PNG files in the usual exit-horse-door-bolting exercise though.
Fun aside, back in the days when I spent time trying to help with Ogg Vorbis metadata (there's a limit to the value you can add when people like Chris Montgomery are doing the heavy lifting), one suggestion that arrived from outside the regular developers was to add a field that would cause a command to be run. It was obviously gently but very firmly rejected. I didn't (and don't) think it was made maliciously, just someone who had some idea for a thing they thought would be cool and had in absolutely no way thought it out fully.
. . using their brain.
I'm supposed to click on some link and enter keyboard shortcuts instead of a normal CAPTCHA ?
First of all, I'm going to check out that link. If you say you're from Microsoft and you sent me the mail from a gmail account, you're out. If you manage to spoof the microsoft account, the I want to see the link going to website that has the word microsoft in it. If it doesn't, you're out. Finally, I'm not going to do CTRL-C on a CAPTCHA. You're out.
Use your brain, people.
You don't press CTRL-C, the website has navigator.clipboard.writeText() on the submit button so that when you press submit it copies the code to you clipboard.
Then once you have clicked submit a box pops up asking you to press Windows key + R and then CTRL-V.
I mean, that's sneaky but it's still going to pop up the "Run" dialog and then populate it with what (to most people) will look like a gibberish string, or (to techies) a deeply suspicious decode-this-png.exe, isn't it? Or have I missed something? There should be all kinds of alarm bells jangling before you hit run on that command?
It probably confuses the majority of phone scammers who aren't that technically aware themselves, but it wouldn't be much of a protection against a website like this one if they tried for about ten minutes. Linux and Mac OS have key commands that would accept commands, and user agent strings will generally tell them which operating system you're running*. So they could easily present the average user with instructions that will run a script on their computer whether it's Windows or not.
* Yes, you can lie about the operating system, but chances are that if you know why you're doing it, you also know not to open a command window and paste things in it. For someone who was given a Linux system by a friend, they won't have chosen to change their user agent. If you have given Linux systems to your family members but switched the user agents beforehand, you're in a pretty small minority even of those installing Linux for others.
I don't think it's realistic to expect all users to handle this with the same level of savvy that you attribute to yourself. A lot of users just aren't technically savvy enough to have their suspicions raised by what they're being asked to do in this (ab)use case (especially considering that website login procedures are becoming more complex/cryptic in attempts to thwart ne'er-do-wells).
Actually, even some things could trip up the more technically aware. A friend of mine was technically adept - built their own PCs, installed and configured lord-knows-how-many bits of software....but was woefully ignorant of some key combinations, e.g. had no idea that CTRL-X did a cut - they'd always used CTRL-Delete and had never had the need to know there was another way to do it.
It takes all sorts to make a world...and a lot of them could get caught out by the sort of attack vector described in the article
Much like electricity and water, it will find the quickest and easiest path to it's end goal.... and in this instance, the end user without the wherewithal to understand what is happening, who will happily and blindly follow what they are told because...."Computer said so"
Pardon me for my stupidity, but is the data location in a PNG a complete waste of space, or is the resulting image mangled because its not really an image? If I have two pictures of a Datsun B210, and only one of them is infected, why are they both still pictures of a Datsun B210? Or are they?
In my case, the PNG was just a container for compressed data. (Back in the day, browsers supported PNG but not dedicated decompression, and javascript was a lot slower. Also, every web server could serve PNG without configuration changes necessary for binary files.) The image looked like white noise when decompressed. But the user never saw it. And, while I wasn't trying to defeat virus checkers, presumably they wouldn't be evaluating the artistic merit of the image.
I've just skimmed the elastic.co write up, and it looks similar. The PNG is stored as a "resource" in a seemingly benign .EXE. A virus checker would give the EXE a clean bill of health; all it sees is a legit EXE accessing a PNG resource. But the malicious API calls, etc... are "encrypted" in the image part of the PNG. And, as the PNG can be varied, every infection could have a unique PNG.
Anyway, there's nothing headline grabbing here; nothing I'd grant a patent for. It's just another way of hiding data.
There could be an interesting use for AI here. When presented with an executable file which contains image resources, extract these and examine them to see if they actually look like a picture of something. If they do then probably OK, if they look like white noise then flag as potentially dodgy.
Then again, the miscreants could sneak something into an image that looks benign, as per the steganography comment above.
Hmmmm...it really is a bit of an arms race this, isn't it?
You don't even need steganography for that. With their current technique, it checks whether a given 16-byte block is part of the instructions or not. All you need to do is not include too many of them. The picture as a whole is a perfectly normal full screen graphic and looks normal enough, but 40k/3.69M pixels would look weird. Maybe you could notice that if you looked at it long enough, but an AI probably wouldn't tell that there are little areas where something looks different in this picture. You could train one specifically to recognize tiny imperfections, but then you're specifically fighting against this one method and might miss plenty of other ones.
"If the developers used their talents for good they could do something amazing. Rather than just being - well, you know. Pointless criminal scum."
The shitty thing is that thanks to management and lawyers and HR and capitalism and "you must regularly go to the office in some expensive tech city", it probably pays better to be pointless criminal scum than to be an honest cog in a broken system.
Once you figure that this article is just a description of a way of encoding information into PNG files that the malware can decipher then it makes sense.
I watched a very interesting youTube video recently about the mechanisms used in QR codes to carry information and harden that information against errors. Most illuminating --- and it demonstrates that with the right type of encoding and error detection/correction you can carry large amounts of information in just about anything. All you have to do is identify the pattern that contains the information, decode the 'clock' (the size of each information bit), pull any encoding metadata and then pull the information and error check data from the pattern (allowing for run length limitations, padding, etc.). Its all quite straightforward -- at least as straightforward as pulling any signal from a potentially noisy source can be.
(The only malware angle is the perennial problem of so-called operating systems that allow people to run random bits of data as code.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
