How hackers poison PNG images with malware payloads

It seems like every other day there’s a news story telling you to be afraid of this or this banal thing, right? Well, relax, because this isn’t exactly one of those stories. No one infects your computer when you view a PNG image. However, the executable code hidden in PNG images is a key part of this story.

ESET are the ones who located this technique, which has been used to attack energy companies in Central and Southeast Asia. To be clear, it was used on already compromised machines, so a different exploit was used to gain access to the systems and infect them initially.
infected cloud
An example of what one of the infected images looks like. Normal, right?

However, once infected with the CRLoader malware, attackers were able to load another component, known as PNGLoader for obvious reasons. PNGLoader is able to extract executable data embedded in the least significant bits of PNG images. Simply put, PNG images are lossless and can have four channels: red, green, blue, and alpha. Each channel contains several bits of color information for each pixel.

lsb encoding
Image illustrating the least significant bit encoding.

By using the least significant bits that have the least impact on the appearance of the image, you can set them to whatever value you want without changing the apparent legitimacy of the image. In turn, this capability allows you to encode any binary data you want into a PNG image which, for all intents and purposes, is still a perfectly legitimate image even under simple analysis.

Least significant bits extracted. Sounds like noise, right? Have you ever listened to track 1 of the CD?

The purpose of such a thing is to hide your application from scanners which usually don’t check inside images for executable data. Typically, image data is large compared to executable data, so scanners often ignore these files, assuming they would even know how to find the encoded data in the first place.

In the specific case where ESET and Avast Chronicleexecutable data encoded in PNG images allowed attackers to then install the DropBoxControl malware and transfer files in encrypted format between infected systems and DropBox.
organizational chart

As mentioned, these images appear to be completely legit for all purposes; while the “least significant bit” encoding is well known and easily found via statistical analysis, you have to search for it to find it. Luckily, you can’t attack a system with just these images, so there’s no particular reason to be alarmed just yet.

Previous Exclusive Satellite Images Show Methane Clouds Near Polish Coal Mine
Next Mirror Images - Haliburton Echo