Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Spammed PNG file hides LokiBot

Contributing authors: Phil Hay, Rodel Mendrez

Recently we came across a spam message from our traps that looked truly odd when viewed from our Secure Email Gateway console, as below:



Needless to say, there are several suspicious elements here:

  • The attachment has a .zipx extension
  • The gateway identified the message as a PNG image
  • The image itself resembles a ‘JPG’ icon.
  • The subject line is typical of those we see associated with malware.

So what’s going on here?  Let’s examine the file.

The header of the file indicates that it truly is a PNG.




The image file can be opened with an image viewer:




However, the .zipx extension suggests something else is going on here. Let’s look further into the file.

In a PNG file, IEND is supposed to mark the end of the image and is supposed to appear last. But in this file there is a bunch of data after IEND. If you look at the snippet below, you can see a PK header marker indicating some kind of zip archive, and a filename called RFQ -5600005870.exe.  The PNG format specification appears to allow for such extraneous data, it is up to the application to decide to try and interpret or ignore such data.




So, let’s try unzipping it. WinZip and 7-Zip gave errors upon trying to unzip the file, but WinRAR had no such problem, happily extracting the file RFQ -5600005870.exe. Interestingly, if you alter the extension to anything other than zip or zipx, 7-Zip will also happily extract the .exe file. It seems that some decompression utilities will traverse the whole file looking for suitable stuff to unpack.

Here’s how the message could have appeared to a user who had WinRAR - clicking the attachment would open up WinRAR for extracting the payload.




Analyzing the extracted .exe file indicates that it consists of multiple stages, with the first stage executable compiled with Visual Basic.




This first stage function is to decrypt the main payload into the memory and execute it using a common technique called Process Hollowing, where a new process is created in a suspended state, its memory is unmapped and the malicious code replaces it.

Dumping the decrypted new process from memory, we end up with the main payload, as below.




Some interesting strings in the malware body start to give a hint of what this malware does.




Further analysis of the sample indicates that it is the well-known LokiBot information stealing Trojan. LokiBot is a multi-purpose modular trojan that attempts to steal passwords and other information from browsers, mail, FTP clients and other applications, as well as a raft of other functions. LokiBot is freely available in the underground markets where it can be bought quite cheaply - $300 can get you some password stealing capability.




LokiBot’s availability means it is widely used, and over the past year we have been seeing many spam messages with attached LokiBots, but never before one where the payload is hidden inside a PNG file.

The attacker likely used the PNG format to hide the executable from inspection by the email scanning gateway. The giveaway is the .zipx extension. If a user happened to have WinRAR installed, and received such a message, then clicking on the attachment would fire up WinRAR for the payload exe to be extracted by the user. The upshot is we may all want to inspect those PNG files a little closer.



.zipx attachment

SHA256: 3654011653e7289620041cb831bf93e6c480815feede72320cde94f20ce7f185

Extracted executable

SHA256: c9ddcf7d0cd026cdeac9586515b4d591c1ca63ee9c009cd00b198178e5e84f03

CnC of LokiBot


Latest SpiderLabs Blogs

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Physical Address Strangeness in Spam

Ten years ago, Congress passed the "CAN-SPAM Act" (also known as theYou-CAN-SPAM Act, since it defined legal spam and supersedes any stricter state-antispam laws). One of the provisions of the act is...

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More