PNGLoad

Description

(ESET) PNGLoad is the second-stage payload deployed by Worok on compromised systems and, according to ESET telemetry, loaded either by CLRLoad or PowHeartBeat. While we don’t see any code in PowHeartBeat that directly loads PNGLoad, the backdoor has the capabilities to download and execute additional payloads from the C&C server, which is likely how the attackers have deployed PNGLoad on systems compromised with PowHeartBeat. PNGLoad is a loader that uses bytes from PNG files to create a payload to execute. It is a 64-bit .NET executable – obfuscated with .NET Reactor – that masquerades as legitimate software. For example, Figure 11 shows the CLR headers of a sample masquerading as a WinRAR DLL.

Names

Name
PNGLoad

Type

Loader

Information

https://www.welivesecurity.com/2022/09/06/worok-big-picture/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.png_load

Other Information

Uuid

f9459882-ea88-44c9-aaa5-b4f51918e0f5

Last Card Change

2022-12-27

Threat Intelligence Garden

Explorer

PNGLoad

PNGLoad

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks