CATEGORIES
home News

How Hackers Are Poisoning PNG Images With Malware Payloads

by Zak KillianFriday, November 11, 2022, 05:03 PM EDT
png attack hero
It seems like every other day there's a news story telling you to be afraid of this or that commonplace thing, right? Well relax, because this isn't one of those stories, exactly. No one's infecting your computer when you view a PNG image. However, executable code hidden in PNG images is a key part of this story.

ESET are the ones who located this technique, which was used to attack energy companies in Central and Southeast Asia. To be clear, it was used on machines that were already compromised, so a different exploit was used to gain access to the systems and initially infect them.

infected cloud
An example of what one of the infected images looks like. Normal, right?

However, once they were infected with the CRLoader malware, the attackers were able to load another component, known as PNGLoader for obvious reasons. PNGLoader is able to extract executable data embedded in PNG images' least significant bits. To put it simply, PNG images are lossless, and can have four channels: red, green, blue, and alpha. Each channel contains multiple bits of color information for each pixel.

lsb encoding
Image demonstrating least-significant-bit encoding.


By using the least-significant bits that have the smallest impact on the image's appearance, you can set them to whatever value you want without changing the image's apparent legitimacy. In turn, this ability allows you to encode whatever binary data you want into a PNG image that for all intents and purposes is still a completely legitimate image, even under simple analysis.

noise
Least-significant-bits extracted. Looks like noise, right? Ever listen to CD Track 1?

The point of doing such a thing is to hide your application from scanners that ordinarily won't check inside images for executable data. Typically, image data is large compared to executable data, so scanners will often skip over these files—assuming they would even know how to find the encoded data in the first place.

In the specific event that ESET and Avast chronicled, executable data encoded in PNG images allowed the attackers to then install the DropBoxControl malware and transfer files in encrypted format between the infected systems and DropBox.

flowchart

As we mentioned, these images appear to be completely legitimate for all purposes; while "least significant bit" encoding is well-known and easily found via statistical analysis, you need to be looking for it to find it. Fortunately you can't attack a system just with these images, so there's no particular cause for alarm—yet.
Tags:  security, Avast, cybersecurity, ESET
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment