Debunking a Malware Technique That Bypasses Binwalk Using dd

 

Threat actors not only bypass EDR, NDR, XDR, and IDS, but they also bypass the toolkits that may be used against their samples during reverse engineering or analysis. In this case, I am going to discuss a malicious PNG file. Binwalk detects that it contains an embedded executable, but it is unable to parse or extract it. Technically, the sample successfully prevents Binwalk from dumping the hidden payload inside the malicious image. Binwalk is a great tool for forensic and steganography analysts, and it is commonly used to extract hidden files from images and other formats. However, this sample demonstrates a method that stops Binwalk from performing that extraction.

First, let’s investigate the metadata of the malicious PNG file using ExifTool. ExifTool is a tool that can parse metadata, allowing threat researchers or forensic examiners to analyze it. Essentially, metadata is information about data or, in simple terms, data about data. As you can see in the image below, our sample contains binary data appended after the end of the PNG file.

At this point, it is time to use Foremost to validate our analysis. It always makes sense to use multiple tools or alternative options for validation.

As you can see, Foremost is not able to parse or dump the hidden executable embedded inside this image file. Now, let’s run Binwalk on our sample to see if it provides any clues about the malicious PNG file.

Great. As you can see, Binwalk reports that the file contains an embedded Portable Executable (PE), but unfortunately, there is no extracted output in the folder generated by Binwalk when using the -e option. To retrieve the hidden PE file, we can use the dd tool. First, we note the decimal offset of the PE file, which is 98757 (0x181C5), corresponding to a Windows PE binary for Intel x86‑64. Then, using the command dd if=image.png of=output.bin bs=1 skip=98757, we can manually dump the embedded binary. After running this command, the extracted binary file becomes visible.

As you can see, it is a malicious DLL file, and we have successfully dumped the hidden and embedded Portable Executable, which neither Foremost nor Binwalk was able to extract. Now, let’s perform a string analysis on it using the strings utility, available on Linux or through the Sysinternals suite on Windows.

Now, let’s investigate the metadata of our dumped malicious DLL using ExifTool to gather more information about it.

As you can see, it is a DLL file.