PNGPlug malware is spreading through fake software installers, targeting Chinese-speaking users in Hong Kong, Taiwan, and Mainland China. A recent report highlights how cybercriminals use a phishing campaign to trick victims into downloading a malicious Microsoft Installer (MSI) package.
Once executed, the installer deploys a legitimate application to avoid suspicion. However, in the background, it extracts an encrypted archive that contains the malware. The attack uses Windows Installer’s CustomAction feature to execute hidden malicious code. This method allows the MSI package to decrypt and run malware components without raising security alarms.
The malware consists of several key files. A rogue DLL file, named “libcef.dll,” helps disguise its actions. A legitimate application, “down.exe,” runs as a cover, while two payload files, “aut.png” and “view.png,” appear as harmless images. These files actually serve as the core malware, injected into memory to establish persistence and execute ValleyRAT.
ValleyRAT, first detected in 2023, is a remote access trojan (RAT). It gives attackers full control over infected devices. Recent updates have made it even more dangerous, adding features like screenshot capture and log clearing. Experts believe it is linked to the Silver Fox threat group, which shares tactics with Void Arachne, another cybercriminal cluster.
This campaign stands out for its sophisticated techniques. Attackers blend malware with legitimate software, making detection difficult. The modular design of PNGPlug allows cybercriminals to adapt it for different attacks, increasing its effectiveness.
Preventive Measures
Users should avoid downloading software from unknown sources. Always verify official websites before installing any program. Keeping security software updated and scanning files before execution can help prevent malware infections. Additionally, monitoring system changes, such as unauthorized registry modifications, can provide early warnings of an attack.
