Attackers are using polyglot images in malvertising attacks to hide their malicious payloads
- Researchers from DEVCON have observed a group of malvertisers using polyglot images to hide malicious ad payloads.
Researchers from DEVCON have observed a group of malvertisers using polyglot images to hide malicious ad payloads.
Why it matters - We have been familiar with attackers using steganography technique to hide malicious payloads inside images. However, Polyglot images are different from Steganographic images.
- Steganography hides malware in an image by altering a few pixels in the image which makes it difficult to detect.
- Additionally, polyglot images do not require an external script to extract the payload.
The big picture - Attackers use BMP (.bmp) images in the malvertising campaigns and manipulate the size of the image bytes and hexadecimal characters to trick the computer to believe it as something else.
The BMP file can now be run in the browser in two different ways.
The bottom line - Such techniques are not new to security researchers to execute shellcode and deploy server-side attacks.
Similar JS/GIF polyglot images are a known technique to bypass a server's Content Security Policy to execute XSS attacks. This implies that more threat actors are now moving into the ad fraud environment with such techniques to exploit the users.