Malware, digital security
There’s more to some images than meets the eye: their seemingly innocent facade can mask a sinister threat.
02 April 2024
•
,
4 minutes Read
Cybersecurity software has become fully capable of detecting suspicious files, and as companies become increasingly aware of the need to enhance their security posture with additional layers of protection, subterfuge has become necessary to evade detection.
Essentially, any cybersecurity software is powerful enough to detect most malicious files. Therefore, threat actors continually look for different ways to evade detection, and among these techniques is using malware hidden in images or photos.
Malware hidden in images
It might sound far-fetched, but it’s quite real. Malware placed within images of various formats is the result of steganography, the technique that hides data within a file to avoid detection. ESET Research identified this technique used by cyber espionage group Worok, which hid malicious code in image files, taking only specific pixel information from them to extract a payload to execute. Note that this was done on already compromised systems, since, as previously mentioned, hiding malware within images is more about evading detection than initial access.
Most often, malicious images are made available on websites or inserted into documents. Some may remember adware: code hidden in banner ads. By itself, the code in the image cannot be executed, executed, or extracted by itself while it is embedded. You need to provide another malware that takes care of extracting the malicious code and executing it. In this case the level of user interaction required is varied and the likelihood of someone noticing malicious activity seems to depend more on the code involved in the extraction than on the image itself.
The least (most) significant bits
One of the sneakiest ways to embed malicious code in an image is to replace the least significant part of each pixel’s RGBA (red-green-blue-alpha) value with a small part of the message. Another technique is to embed something in an image’s alpha channel (which denotes the opacity of a color), using only a reasonably insignificant portion. This way, the image appears more or less the same as normal, making it difficult to spot any differences with the naked eye.
An example of this occurred when legitimate ad networks served ads that potentially led to malicious banners being sent from a compromised server. The JavaScript code was extracted from the banner, exploiting the CVE-2016-0162 vulnerability present in some versions of Internet Explorer, to obtain more information on the target.
It may appear that both images are the same, but one of them contains malicious code in the alpha channel of its pixels. Notice how the image on the right is strangely pixelated.
(Source: ESET research)
Malicious payloads extracted from images could be used for various purposes. In the case of the Explorer vulnerability, the extracted script checked whether it was running on a monitored computer, such as that of a malware analyst. Otherwise, it was redirected to the exploit kit landing page. After exploitation, a final payload was used to spread malware such as backdoors, banking Trojans, spyware, file stealers, and the like.
As you can see, the difference between a clean image and a malicious one is quite small. For a normal person, the malicious image might look slightly different, and in this case, the strange appearance could be attributed to the poor quality and resolution of the image, but the reality is that all those dark pixels highlighted in the image on the right they are a sign of malicious code.
There is no reason to panic
You may be wondering, then, whether the images you see on social media might contain dangerous code. Consider that images uploaded to social media websites are usually heavily compressed and modified, so it would be very problematic for a threat actor to hide fully preserved and working code within them. This is perhaps obvious if you compare how a photo looks before and after uploading it to Instagram: there are usually clear differences in quality.
More importantly, RGB pixel hiding and other steganographic methods can only pose a danger when the hidden data is read by a program that can extract the malicious code and execute it on the system. Images are often used to hide malware downloaded from command and control (C&C) servers to avoid detection by cybersecurity software. In one case, a Trojan called ZeroT was downloaded onto victims’ computers via infested Word documents attached to emails. However, this is not the most interesting part. Interestingly, he also downloaded a variant of the PlugX RAT (also known as Korplug), using steganography to extract malware from an image of Britney Spears.
In other words, if you’re protected from Trojans like ZeroT, you don’t have to worry as much about its use of steganography.
Finally, any exploit code extracted from images depends on the presence of vulnerabilities for the exploitation to be successful. If your systems are already patched, there’s no chance the exploit will work; therefore, it’s a good idea to always keep your cyber protection, apps, and operating systems up to date. Exploitation by exploit kits can be avoided by running fully updated software and using a reliable, up-to-date security solution.
The same cybersecurity rules apply as always, and awareness is the first step towards a more cyber-secure life.