From Pixels to Payloads: Understanding Malicious PNG Files

Threat actors often demonstrate far more creativity than traditional security researchers, who may rely heavily on old-school methods to prevent malicious activities or cyber intrusions within their organization’s network. Threat actors will exploit anything, whether physical or digital, to penetrate their targets.

In this blog, we discuss something particularly interesting: investigating malicious PNG files that contain the WannaCry ransomware.

To begin, what exactly is a PNG file?
A PNG (Portable Network Graphics) file is a widely used, open, lossless raster image format commonly found online. It is used for high-quality graphics such as logos, icons, and screenshots.

Regarding the tools of the trade, I am using some basic utilities combined with Binwalk and zsteg to gain a broader view and extract the malicious payload. You can easily download Binwalk on macOS through Homebrew, but if you are using Kali Linux or any other red-team or penetration-testing distribution, it is available by default.

If you look at the screenshot below, I have imported our PNG sample into the BinText utility for string analysis. You can see something interesting: a reference to wannacry.exe. Let’s move forward with that.

Based on these clues, we can identify that something is embedded in this image file. It is possible that the threat actor used Steghide or another steganography utility in their operation. But let’s use zsteg to see what we can find.

As you can see from the zsteg output, we have something interesting: the string PK, which indicates the presence of a ZIP file header. For further identification, we can continue analyzing the PNG file to get a clearer view of what is embedded inside.

Let’s use Binwalk with the -e option to extract the malicious executable hidden inside the image as our final step in the analysis. You can run the command: binwalk -e sample.png

As you can see, we finally have the executable file, as shown in the screenshot below.

Enjoy :)