Spammed PNG file hides LokiBot

Contributing authors: Phil Hay, Rodel Mendrez

Recently we came across a spam message from our traps that looked truly odd when viewed from our Secure Email Gateway console, as below:

Needless to say, there are several suspicious elements here:

• The attachment has a .zipx extension
• The gateway identified the message as a PNG image
• The image itself resembles a ‘JPG’ icon.
• The subject line is typical of those we see associated with malware.

So what’s going on here?  Let’s examine the file.

The header of the file indicates that it truly is a PNG.

The image file can be opened with an image viewer:

However, the .zipx extension suggests something else is going on here. Let’s look further into the file.

In a PNG file, IEND is supposed to mark the end of the image and is supposed to appear last. But in this file there is a bunch of data after IEND. If you look at the snippet below, you can see a PK header marker indicating some kind of zip archive, and a filename called RFQ -5600005870.exe.  The PNG format specification appears to allow for such extraneous data, it is up to the application to decide to try and interpret or ignore such data.

So, let’s try unzipping it. WinZip and 7-Zip gave errors upon trying to unzip the file, but WinRAR had no such problem, happily extracting the file RFQ -5600005870.exe. Interestingly, if you alter the extension to anything other than zip or zipx, 7-Zip will also happily extract the .exe file. It seems that some decompression utilities will traverse the whole file looking for suitable stuff to unpack.

Here’s how the message could have appeared to a user who had WinRAR - clicking the attachment would open up WinRAR for extracting the payload.

Analyzing the extracted .exe file indicates that it consists of multiple stages, with the first stage executable compiled with Visual Basic.

This first stage function is to decrypt the main payload into the memory and execute it using a common technique called Process Hollowing, where a new process is created in a suspended state, its memory is unmapped and the malicious code replaces it.

Dumping the decrypted new process from memory, we end up with the main payload, as below.

Some interesting strings in the malware body start to give a hint of what this malware does.

Further analysis of the sample indicates that it is the well-known LokiBot information stealing Trojan. LokiBot is a multi-purpose modular trojan that attempts to steal passwords and other information from browsers, mail, FTP clients and other applications, as well as a raft of other functions. LokiBot is freely available in the underground markets where it can be bought quite cheaply - $300 can get you some password stealing capability.

LokiBot’s availability means it is widely used, and over the past year we have been seeing many spam messages with attached LokiBots, but never before one where the payload is hidden inside a PNG file.

The attacker likely used the PNG format to hide the executable from inspection by the email scanning gateway. The giveaway is the .zipx extension. If a user happened to have WinRAR installed, and received such a message, then clicking on the attachment would fire up WinRAR for the payload exe to be extracted by the user. The upshot is we may all want to inspect those PNG files a little closer.

IOCs:

SHA256: 3654011653e7289620041cb831bf93e6c480815feede72320cde94f20ce7f185