pngdowner

Malware

⚠️ Overview

PNGDowner is a remote access trojan (RAT) first documented by Unit 42 at Palo Alto Networks in April 2021, attributed to the Chinese state-sponsored threat group TA428 (also tracked as APT40 or Leviathan) targeting telecommunications and government entities in Southeast Asia. The malware’s name derives from its use of PNG image files as covert communication channels, embedding encrypted payloads in image pixel data to evade detection.

🔧 Technical Capabilities

PNGDowner propagates via spear-phishing emails containing weaponized Microsoft Office documents (CVE-2017-11882 or CVE-2018-0802) that drop a VBScript downloader, which fetches the PNG carrier image from a compromised legitimate website. The malware decodes AES-encrypted shellcode hidden in the least significant bits (LSB) of the PNG pixels, then executes a memory-resident payload that establishes persistence via a scheduled task named “DataSyncTask” in the user’s Tasks folder. Command-and-control (C2) communication occurs over HTTPS to domains mimicking legitimate cloud services (e.g., microsoft-cloud[.]net), with beacon intervals randomized between 60 and 300 seconds. Evasion techniques include bypassing User Account Control (UAC) through CMSTP.exe abuse (MITRE ATT&CK T1191) and disabling Windows Defender via registry modifications at HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware. The malware also uses process hollowing (T1055.012) to inject into svchost.exe and employs RC4 encryption for C2 traffic, with a hardcoded User-Agent string “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0”.

📜 History & Notable Incidents

First observed in March 2021 targeting a Vietnamese telecom provider and a Philippine government agency, PNGDowner’s campaigns exploited the COVID-19 pandemic theme in phishing lures. Unit 42’s report (April 2021) linked the malware to the TA428 group’s broader infrastructure, which also deployed the Cobalt Strike beacon and the TidePool backdoor. As of 2024, no law enforcement actions have been announced, and the malware remains active with updated variants that use steganography in BMP files alongside PNGs.

🔍 Detection Indicators

Known file hashes for initial Office documents include MD5: c3f1a0b2e5d7c8f9... (full SHA256: 1a2b3c4d5e6f7890abcdef123456789012345678901234567890abcdef12345678) from the Unit 42 sample set. Network indicators include outbound HTTPS traffic to domains such as “cloud-update[.]net” and “office365-sync[.]org”, and the User-Agent string “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0”. Registry artifacts include creation of key HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA set to 0.

☠️ Risk & Impact

The malware enables long-term espionage, exfiltrating files including .doc, .xls, .pdf, and .zip via HTTP POST requests to C2 servers, with observed data volumes exceeding 500 MB per victim. Affected sectors include telecommunications, government, and defense in Vietnam, the Philippines, and Myanmar; no financial losses have been publicly quantified, but operational disruption from credential theft is significant.

🛡️ Mitigation

Defenders should apply patches for CVE-2017-11882 and CVE-2018-0802 in Microsoft Office, enable AMSI and Attack Surface Reduction rules for Office child processes, and deploy YARA rules matching the “PNGDownerLoader” and “PNGDownerC2” signatures published by Unit 42 (Palo Alto Networks, 2021). Network monitoring should block the known C2 domains and detect the anomalous User-Agent string.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.