ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool PNGLoad

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: PNGLoad

NamesPNGLoad
CategoryMalware
TypeLoader
Description(ESET) PNGLoad is the second-stage payload deployed by Worok on compromised systems and, according to ESET telemetry, loaded either by CLRLoad or PowHeartBeat. While we don’t see any code in PowHeartBeat that directly loads PNGLoad, the backdoor has the capabilities to download and execute additional payloads from the C&C server, which is likely how the attackers have deployed PNGLoad on systems compromised with PowHeartBeat. PNGLoad is a loader that uses bytes from PNG files to create a payload to execute. It is a 64-bit .NET executable – obfuscated with .NET Reactor – that masquerades as legitimate software. For example, Figure 11 shows the CLR headers of a sample masquerading as a WinRAR DLL.
Information<https://www.welivesecurity.com/2022/09/06/worok-big-picture/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.png_load>

Last change to this tool card: 27 December 2022

Download this tool card in JSON format

All groups using tool PNGLoad

ChangedNameCountryObserved

APT groups

 WorokChina2020 

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]