SANS Analyst Tracks Malware Using Recycled PNG Payload

A SANS Internet Storm Center analysis published today demonstrates how threat actors recycle delivery infrastructure across campaigns—and how defenders can exploit that laziness to track malware at scale.

Xavier Mertens, senior ISC handler, flagged a malicious Excel file exploiting CVE-2017-11882, the ancient Equation Editor vulnerability Microsoft patched in 2017. What caught his attention wasn't the exploit itself—it was the payload delivery mechanism. The same PNG image with embedded malware had appeared in a campaign he analyzed weeks earlier.

The Infection Chain

The attack starts with a phishing email carrying an Excel attachment named TELERADIO_IB_OBYEKTLRIN_BURAXILIS_FORMASI.xls. Opening the file triggers the Equation Editor exploit, which downloads an HTA file from hxxp://192[.]3[.]101[.]19/31/sd878f23823878428348fd8g8g8384838f3453dfg.hta.

That HTA file contains obfuscated PowerShell that reaches out to a second server for the real payload: a PNG image hosted at hxxps://172[.]245[.]155[.]116/img/optimized_MSI.png.

The PNG isn't just an image. Embedded within it sits Base64-encoded shellcode bracketed by distinctive BaseStart- and -BaseEnd markers. A .NET loader extracts the data between those tags and executes it in memory.

We covered an identical technique two weeks ago when Mertens analyzed an XWorm delivery chain using the same marker format. That earlier campaign hid its PNG on a compromised travel website. The reuse suggests either a shared toolkit or the same threat actor running parallel operations.

846 Images, Same Trick

Mertens submitted the PNG to VirusTotal and discovered something interesting: 846 similar images existed in their corpus. Of those, only 36 had detection scores above 5—meaning most security tools weren't flagging them as malicious.

The low detection rate makes sense. Traditional antivirus engines scan for executable code signatures, not Base64 strings hidden inside pixel data. Steganography attacks have grown more popular precisely because they slip past static analysis. When a PNG looks like a PNG to automated scanners, it sails through email gateways and web filters.

The consistent use of BaseStart- and -BaseEnd delimiters across hundreds of samples suggests a single tool or malware builder generating these payloads. Threat actors don't manually embed shellcode in images—they use frameworks that automate the process. When those frameworks leave fingerprints, defenders can hunt for variants at scale.

Tracking Campaigns With YARA

Mertens created YARA rules to detect the marker patterns, enabling proactive hunting across environments. A basic rule targeting the delimiter strings would flag any file—image or otherwise—containing the Base64 extraction markers.

For defenders running VirusTotal Enterprise or similar retrohunting platforms, the approach offers a way to surface related samples before they hit production networks. The 846 images Mertens found likely represent dozens of separate campaigns sharing the same delivery toolkit.

The .NET binary extracted from the PNG carries a SHA256 hash of adc2f550e7ff2b707a070ffaa50fc367af6a01c037f1f5b347c444cca3c9a650. At the time of publication, detection remains spotty—another argument for behavior-based detection over signature matching.

Why CVE-2017-11882 Refuses to Die

The Equation Editor flaw is nearly a decade old, yet attackers keep weaponizing it. According to Kaspersky, exploitation of CVE-2017-11882 actually increased throughout 2025, driven by organizations running unpatched Office installations.

The vulnerability's longevity stems from several factors. Many enterprises still run legacy Office versions. The exploit is reliable and well-documented. And phishing emails carrying malicious Office documents remain one of the most effective initial access vectors. APT groups including APT28 and FIN7 have used this exploit in targeted campaigns against finance and healthcare sectors.

Microsoft eventually removed the Equation Editor component entirely from Office, but systems running older versions remain vulnerable.

Indicators of Compromise

Excel dropper:

• Filename: TELERADIO_IB_OBYEKTLRIN_BURAXILIS_FORMASI.xls
• SHA256: 1bf3ec53ddd7399cdc1faf1f0796c5228adc438b6b7fa2513399cdc0cb865962

HTA payload URL:

• hxxp://192[.]3[.]101[.]19/31/sd878f23823878428348fd8g8g8384838f3453dfg.hta

PNG steganography payload:

• hxxps://172[.]245[.]155[.]116/img/optimized_MSI.png

Extracted .NET binary:

• SHA256: adc2f550e7ff2b707a070ffaa50fc367af6a01c037f1f5b347c444cca3c9a650

Defensive Takeaways

Network defenders should block the IP addresses and domains listed above. Beyond IOC blocking, consider these proactive measures:

1. Hunt for steganography markers - Deploy YARA rules searching for BaseStart- and -BaseEnd patterns in downloaded files, including images.

2. Patch legacy Office installations - If you can't upgrade, ensure Equation Editor is disabled or removed.

3. Monitor for anomalous PNG downloads - Images downloaded by Office processes should raise immediate red flags.

4. Leverage VirusTotal similarity searches - When you find one sample, search for similar files to uncover related campaigns.

The broader lesson here is that threat actors are creatures of habit. When they find a technique that works, they reuse it—sometimes across hundreds of campaigns. That repetition creates patterns defenders can track. One YARA rule built today might catch tomorrow's campaign before it reaches your inbox.