Elastic Defend, the endpoint security solution offered by the company, has deployed behavior protection rules to detect this threat, including DNS queries to suspicious top-level domains, library loads of files written by signed binary proxies, suspicious API calls from unsigned DLLs, suspicious memory writes to remote processes, and process creation from modified NTDLL.
In addition to these protective measures, a YARA rule labeled “Windows.Trojan.GhostPulse” can identify GHOSTPULSE loaders on disk.
As of now, there is no information available regarding the extent of companies compromised by GHOSTPULSE, the identity of the threat actor behind this campaign, or their ultimate goal. However, based on the nature of the malware distributed in the final stage, it is reasonable to speculate that this may be the work of either a financially motivated group or an Initial Access Broker (IAB).
