Researchers from DEVCON have observed a group of malvertisers using polyglot images to hide malicious ad payloads.
Why it matters - We have been familiar with attackers using steganography technique to hide malicious payloads inside images. However, Polyglot images are different from Steganographic images.
The big picture - Attackers use BMP (.bmp) images in the malvertising campaigns and manipulate the size of the image bytes and hexadecimal characters to trick the computer to believe it as something else.
The BMP file can now be run in the browser in two different ways.
The bottom line - Such techniques are not new to security researchers to execute shellcode and deploy server-side attacks.
Similar JS/GIF polyglot images are a known technique to bypass a server's Content Security Policy to execute XSS attacks. This implies that more threat actors are now moving into the ad fraud environment with such techniques to exploit the users.