I discovered the image file with my browser, using the page information and development tools, which showed me that the web page I was on was not secure and that changes had been made in the coding. files but have not able to confirm this suspicion until recently when I noticed an odd file size associated with a very small image file. PNG files and possibly other visual based file formats such as. I have suspected that the malware resides in several. The malware also doesn’t seem to be prejudice to OS’s as I see its presence on Windows, Linux and ARM platforms, which are installed on various devices i own. I have a malware infection on multiple devices that is nearly undetectable and removable, surviving low level formatting of storage devices and transfers over a network like wild fire. ~Well written with attention grabbing presentation! The URLs related to this attack are also blocked by Kaspersky Lab products. The files related to this attack are detected by Kaspersky Lab products as: It also makes the analysis process harder for antivirus companies as well as bypassing the automated process to detect malicious files on hosting servers. This technique allows the criminals to successfully hide the binary inside a file that appears to be a PNG image. Since the malicious payload hosted in the PNG file cannot be executed without its launcher, it cannot be used as the main infector that is usually delivered to your mailbox, so it has to be installed by a different module. It is there necessary to be wary of emails from unknown sources, especially those containing links and attached files. This function is responsible for loading the PNG file to memory, decrypting and executing the extracted binary using a technique known as RunPE, where the malicious code is executed in the context of another process, in this case iexplore.exe.įrom this code we could identify that the PNG file was only 179 bytes (0xB3) – the remaining content is the encrypted malicious file.īased on this we managed to write a script to decrypt the content of the PNG files.īy giving the key that can be found in the malware code we can successfully decrypt the files.īrazilian attacks are evolving day-by-day, becoming more complex and efficient. Analyzing the binary that performs some operations on these files we identified the function that loads the PNG files to the memory: Looking at the file we can see that it is a solid color image of 63 x 48 pixels, but with a file size of 1.33 MB, which is too big for this specific image. Something similar to this was discovered some years ago in BMP files. Usually the header shows the file type that will be used in order to open the file. Among those files we found three without any extension, but containing a PNG (Portable Network Graphics) file header – a common image format. The link prompts us to download a malicious JAR which downloads a ZIP file containing other files. The attached PDF contains a text commonly used in mail content, while the link (see screenshot below) directs the user to the malicious file.Ĭloser inspection of the PDF content reveals the malicious link as well as the URL of the tool used to generate the PDF from HTML content. The type of attack is the same as that used to distribute an executable file or a. The phishing aspect used in this campaign distributes a PDF attached to the email. It looks like Brazilian cybercriminals follow the security news – this type of attack was publicized several months ago in the US and now they are using the same method in Brazil. And the attack starts with a simple phishing PDF. This is what we found in a new Brazilian Trojan in the wild: it tries to conceal the malicious files in a PNG image. For this, they have invested a lot on more complex infection processes, going beyond the traditional phishing and using techniques where the malicious payload is hidden in encrypted files – even using a known file format. One of the most complex tasks for the cybercriminals is to ensure their malicious code goes undetected by antivirus and achieves its goal.
0 Comments
Leave a Reply. |