Join Trustwave at the 2023 Gartner Security & Risk Management Summit in London, September 26-28. Learn More

Join Trustwave at the 2023 Gartner Security & Risk Management Summit in London, September 26-28. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Spammed PNG file hides LokiBot

Contributing authors: Phil Hay, Rodel Mendrez

Recently we came across a spam message from our traps that looked truly odd when viewed from our Secure Email Gateway console, as below:



Needless to say, there are several suspicious elements here:

  • The attachment has a .zipx extension
  • The gateway identified the message as a PNG image
  • The image itself resembles a ‘JPG’ icon.
  • The subject line is typical of those we see associated with malware.

So what’s going on here?  Let’s examine the file.

The header of the file indicates that it truly is a PNG.




The image file can be opened with an image viewer:




However, the .zipx extension suggests something else is going on here. Let’s look further into the file.

In a PNG file, IEND is supposed to mark the end of the image and is supposed to appear last. But in this file there is a bunch of data after IEND. If you look at the snippet below, you can see a PK header marker indicating some kind of zip archive, and a filename called RFQ -5600005870.exe.  The PNG format specification appears to allow for such extraneous data, it is up to the application to decide to try and interpret or ignore such data.




So, let’s try unzipping it. WinZip and 7-Zip gave errors upon trying to unzip the file, but WinRAR had no such problem, happily extracting the file RFQ -5600005870.exe. Interestingly, if you alter the extension to anything other than zip or zipx, 7-Zip will also happily extract the .exe file. It seems that some decompression utilities will traverse the whole file looking for suitable stuff to unpack.

Here’s how the message could have appeared to a user who had WinRAR - clicking the attachment would open up WinRAR for extracting the payload.




Analyzing the extracted .exe file indicates that it consists of multiple stages, with the first stage executable compiled with Visual Basic.




This first stage function is to decrypt the main payload into the memory and execute it using a common technique called Process Hollowing, where a new process is created in a suspended state, its memory is unmapped and the malicious code replaces it.

Dumping the decrypted new process from memory, we end up with the main payload, as below.




Some interesting strings in the malware body start to give a hint of what this malware does.




Further analysis of the sample indicates that it is the well-known LokiBot information stealing Trojan. LokiBot is a multi-purpose modular trojan that attempts to steal passwords and other information from browsers, mail, FTP clients and other applications, as well as a raft of other functions. LokiBot is freely available in the underground markets where it can be bought quite cheaply - $300 can get you some password stealing capability.




LokiBot’s availability means it is widely used, and over the past year we have been seeing many spam messages with attached LokiBots, but never before one where the payload is hidden inside a PNG file.

The attacker likely used the PNG format to hide the executable from inspection by the email scanning gateway. The giveaway is the .zipx extension. If a user happened to have WinRAR installed, and received such a message, then clicking on the attachment would fire up WinRAR for the payload exe to be extracted by the user. The upshot is we may all want to inspect those PNG files a little closer.



.zipx attachment

SHA256: 3654011653e7289620041cb831bf93e6c480815feede72320cde94f20ce7f185

Extracted executable

SHA256: c9ddcf7d0cd026cdeac9586515b4d591c1ca63ee9c009cd00b198178e5e84f03

CnC of LokiBot