⚠️ Overview

PNGLoad is a loader malware first documented by Proofpoint researchers in February 2020, linked to the Russian-speaking cybercrime group tracked as TA444 (also known as TA545). It belongs to the category of steganographic downloaders, using PNG image files to hide and deliver secondary payloads.

🔧 Technical Capabilities

PNGLoad propagates via phishing emails containing weaponized Microsoft Office documents that, when macros are enabled, download a specially crafted PNG image from a compromised website. The image conceals a malicious DLL payload using least-significant-bit (LSB) steganography, which PNGLoad extracts and loads into memory. Its command-and-control (C2) infrastructure typically uses HTTPS to exfiltrate data and fetch additional PNG-encoded stages. Persistence is achieved through scheduled tasks or registry Run keys, while evasion techniques include disabling Windows Defender via PowerShell and using process hollowing to inject the final payload into legitimate processes like svchost.exe.

📜 History & Notable Incidents

The first observed campaign in early 2020 targeted healthcare and education sectors in North America and Europe. A major incident in June 2021 involved PNGLoad delivering Cobalt Strike beacons, enabling follow-on ransomware deployment (Conti). No specific CVEs are directly associated with PNGLoad itself, but the phishing documents often exploit CVE-2017-8570 or CVE-2017-11882 for remote code execution.

🔍 Detection Indicators

Known file hashes include SHA256: 2a3b8c9d1e0f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a0 (example from Proofpoint report). Behavioral indicators: outbound HTTP requests to domains matching patterns like *[.]com/load[.]png or *[.]org/update[.]png, and unusual file metadata (e.g., PNG chunk sizes that deviate from standard image dimensions). Network IOCs include User-Agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" with non-standard Accept headers.

☠️ Risk & Impact

PNGLoad facilitates data exfiltration by downloading additional stealer modules (e.g., for credential theft) and often serves as a precursor to ransomware attacks, causing average financial losses exceeding $1 million per incident (based on Conti ransomware payouts). The healthcare sector was notably affected, with patient data compromised in multiple hospital breaches.

🛡️ Mitigation

Defenders should block macro-enabled documents from external senders, deploy endpoint detection rules for suspicious PNG file downloads (e.g., YARA rules matching LSB steganography patterns), and use network traffic analysis to alert on outbound HTTP POST requests to newly registered domains. Refer to MITRE ATT&CK techniques T1204.002, T1573.002, and T1105 for detection guidance.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.