Brazilian Criminals Use Malicious PNG File to Infect Windows, OS X, and Linux Machines

An email spamming campaign has been identified by SecureList which is being used, currently, to attack computers in Brazil. However, while the majority of victims are located in Brazil, the malware is also being used to target users in Spain, Portugal, the United States and beyond.

To avoid detection, the attackers have encrypted a malicious payload in a malicious PNG file – a common image format many people do not usually link to malware.

The image file is not attached to an email and sent in a spam message, instead the first attack takes place using a PDF file including a malicious link. The PDF file is sent out in spam emails which use social engineering techniques to trick users into opening the attachment. The PDF file does not use any malicious code, instead it uses a link to infect users. Visiting the link in the PDF file begins the infection process.

The link is used to get users to install a malicious Java JAR file, which in turn installs an infected ZIP file. The zip file includes a number of other files, including a malicious PNG file, or file with a PNG header. Researchers analyzed the binary file and found that the PNG file size was much greater than it should be for the size of the image.

Further investigation showed how the malicious PNG file was loaded to the memory – using a technique titled RunPE which is used by hackers to hide malicious code behind a legitimate process. In this instance that process is iexplore.exe.

The malicious PNG file cannot infiltrate a user on its own, as a launcher is required to decrypt the contents of the file. The scammers send the PDF file to start the infection process. Since the zip file includes the PDF extension, users installing the file are likely to double click to open, thus infecting their systems. As the malicious code in the PDF file is encrypted, it is not detected up by antivirus software. However, SecureList points out that the malicious files used in this attack are noticed by Kaspersky Lab products.

Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has a focus data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone