While there’s an old English adage that says a “picture may be worth a thousand words,” malicious actors believe the value of these images is much higher and they’re doing something about it.
Hiding malware in images is not a new technique for attackers, but recent implementations have added new dimensions to the never-ending cat and mouse game with security analysts. On one side, malicious actors are working to get information of interest from targeted computer environments, which usually involves planting some kind of software that will provide that information continuously. Traditionally, the most common way of doing that has been to plant an executable file and make it run.
On the other side are businesses, which are constantly working to improve their defensive systems to successfully detect such executable implants. Increasingly, attackers have their sights set on images, the same ones we frequently click on, to gain access to information systems.
The reason images are being targeted begins with a widespread industry fallacy—that malware in formats such as PNG, BMP, GIF, and JPEG are far less harmful than executable files. Always on the hunt for vulnerabilities, bad actors are taking advantage. Here are some other reasons why some of these specific formats are being targeted.
- GIF files possess a structural simplicity that makes it an ideal format for transporting malware.
- BMP files have surpassed more popular formats but are still supported by all major web browsers and imaging programs. As a result, BMP is largely inconspicuous and thus a very convenient target for malware authors.
With this knowledge, threat actors are planting executable files within images. These files can then be used to deploy malware in combination with a dropper, a kind of Trojan that allows the malware to avoid detection until it’s activated on the targeted system. In the case of images, the dropper acts as a benign executable, which parses malicious content hidden inside of an image.
One area where we regularly see this technique used is with web uploads. We all upload images such as photos, screenshots, logos, and memes from time to time from our phones and computers for personal and business purposes, but did you know that many websites improperly filter out executables and scripts?
This failure results in images that can be packed with malicious code and uploaded to a web server where they serve as time bombs of potential vulnerability. Once accessed, these images execute their contents via PHP web shells, malicious scripts used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application.
But how exactly does the malware get embedded into these images? Increasingly, threat actors discover and exploit vulnerabilities in applications used to parse image formats. To remain undetected and avoid attracting the attention of security tools, attackers typically try to create files that adhere to the image format specification whenever possible. The simplest way to embed malicious content into an image is to append it to the image end, or, as it’s commonly referred to, the overlay. Malicious actors typically just take a benign image file and append some content. This makes it a well-known method that is quite easy to detect.
Malware can also be placed on the EXIF tags, metadata fields that store descriptive image data. This includes information such as the date and time the picture was taken and from where etc. This data is part of the image format but you don’t need it to view the file. In fact, some image viewing tools don’t even present these tags to the users, which like a benign image file, makes them a great hiding place.
When it comes to detecting these novel malware threats, the best place to start is by using an advanced search engine that leverages machine learning to locate images containing PHP code in their EXIF tags. You’ll be surprised what you can find through a simple search query.
For example, you may find a file—1c308589a493469416df53acaa75a7fd4aed7e65 SHA1 hash –that includes EXIF metadata which is copyright tag— EXIF — [Subimage 0] Copyright. . To a security team, it will be pretty obvious this is a specifically chosen sequence of bytes. After a few minutes on Google, they may also find that this PHP code was used in the past to check if a server is vulnerable to file inclusion attacks. Mainly on sites using Content Management Systems like Joomla or WordPress.
This PHP code on its own will likely be detected by the majority of security tools. However, hide it inside an image and the detection rate drops drastically. In fact, the detection rate for this type of code smuggling hasn’t significantly improved over the last decade.
Another option is to use what we like to call a YARA Retrohunt in malware searches. YARA rules are a method of identifying malware across large historical sample sets extremely quickly to detect these hidden threats.
In the case of images, YARA rules can be used to match samples starting with some of the magic byte sequences that are characteristic for image formats and also have the string “eval (” within. What this string tells us is that the item in question potentially has a call to an eval function somewhere in the image content. This is not typical in multimedia files. At this point, teams may identify PHP code.
Using a threat intelligence solution and available tools such as CyberChef, hunters can identify not only the information on the functionality of the code embedded within the image but the origin of a sample and the source from which it was acquired.
Malware authors and threat actors are always looking for blind spots where they are able to elude defenses and images are the latest target. When successful, one-click on an innocuous-looking image could lead to a severe business operation interruption and major brand damage. For this reason, businesses must have the ability to analyze every piece of content entering their network, regardless of file format. They must then be able to check each for malicious objects potentially buried within. You never know where the next threat is lurking.
Karlo Zanki, Reverse Engineer, ReversingLabs