PNG Embedded – Malicious payload hidden in a PNG file

Anything else that cannot be categorized in the other forums.
BlackSt0rm
Posts: 40
Joined: Tue Mar 22, 2016 6:23 pm
Country: South Africa
Firstname: Branagth

PNG Embedded – Malicious payload hidden in a PNG file

Postby BlackSt0rm » Thu Mar 31, 2016 4:21 pm

One of the most complex tasks for the cybercriminals is to ensure their malicious code goes undetected by antivirus and achieves its goal. For this, they have invested a lot on more complex infection processes, going beyond the traditional phishing and using techniques where the malicious payload is hidden in encrypted files – even using a known file format. This is what we found in a new Brazilian Trojan in the wild: it tries to conceal the malicious files in a PNG image. And the attack starts with a simple phishing PDF.

Malware distribution

It looks like Brazilian cybercriminals follow the security news – this type of attack was publicized several months ago in the US and now they are using the same method in Brazil. The phishing aspect used in this campaign distributes a PDF attached to the email. The file is clean. The type of attack is the same as that used to distribute an executable file or a .ZIP file containing the .pdf extension in the filename.

Image

The attached PDF contains a text commonly used in mail content, while the link (see screenshot below) directs the user to the malicious file.

Image

Closer inspection of the PDF content reveals the malicious link as well as the URL of the tool used to generate the PDF from HTML content.

Image

The malicious payload

The link prompts us to download a malicious JAR which downloads a ZIP file containing other files. Among those files we found three without any extension, but containing a PNG (Portable Network Graphics) file header – a common image format. Usually the header shows the file type that will be used in order to open the file. Something similar to this was discovered some years ago in BMP files.

Image

Looking at the file we can see that it is a solid color image of 63 x 48 pixels, but with a file size of 1.33 MB, which is too big for this specific image. Analyzing the binary that performs some operations on these files we identified the function that loads the PNG files to the memory:

Image

This function is responsible for loading the PNG file to memory, decrypting and executing the extracted binary using a technique known as RunPE, where the malicious code is executed in the context of another process, in this case iexplore.exe.

From this code we could identify that the PNG file was only 179 bytes (0xB3) – the remaining content is the encrypted malicious file.

Image

Based on this we managed to write a script to decrypt the content of the PNG files.

Image

By giving the key that can be found in the malware code we can successfully decrypt the files.

Image

Conclusion

Brazilian attacks are evolving day-by-day, becoming more complex and efficient. It is there necessary to be wary of emails from unknown sources, especially those containing links and attached files.

Since the malicious payload hosted in the PNG file cannot be executed without its launcher, it cannot be used as the main infector; that is usually delivered to your mailbox, so it has to be installed by a different module.

This technique allows the criminals to successfully hide the binary inside a file that appears to be a PNG image. It also makes the analysis process harder for antivirus companies as well as bypassing the automated process to detect malicious files on hosting servers.

The files related to this attack are detected by Kaspersky Lab products as:

Trojan.Win32.KillAv.ovo
HEUR:Trojan.Win32.Generic
Trojan-Downloader.Win32.Banload.cxmj
Trojan-Downloader.Win32.Agent.hgpf
HEUR:Trojan-Downloader.Java.Generic

The URLs related to this attack are also blocked by Kaspersky Lab products.

Source:

Code: Select all

https://securelist.com/blog/virus-watch/74297/png-embedded-malicious-payload-hidden-in-a-png-file/
Is there any other kind of St0rm than Black?

User avatar
Megafisshy
MITS Leader
Posts: 36
Joined: Fri Mar 04, 2016 5:54 pm
Country: South Africa
Firstname: Grant

Re: PNG Embedded – Malicious payload hidden in a PNG file

Postby Megafisshy » Mon Apr 04, 2016 4:11 pm

That's some really nasty stuff! Thanks for the post. I remember the old .bmp exploits back in the day.

I ran across a student whose business had been hit by some ransomware that used a .pdf attack vector.
Can you think of any ways to defend against this kind of attack?
Image

BlackSt0rm
Posts: 40
Joined: Tue Mar 22, 2016 6:23 pm
Country: South Africa
Firstname: Branagth

Re: PNG Embedded – Malicious payload hidden in a PNG file

Postby BlackSt0rm » Mon Apr 04, 2016 7:23 pm

0day mitigation is still a pretty new field of technology, but there are a few rather decent options which you don't need to fork out thousands for.
They all function the same in the end. Monitor payload delivery points for odd behavior, such as overflows and heap sprays which are not exactly stealthy.

Code: Select all

https://www.malwarebytes.org/antiexploit/
http://www.surfright.nl/en/alert
Is there any other kind of St0rm than Black?


Return to “Other”

Who is online

Users browsing this forum: No registered users and 2 guests