Malware hidden in images? More likely than you think

7 Min Read

Malware, digital security

There is more to some images than meets the eye: their seemingly innocent facade can mask a sinister threat.

mlwr imgs wls

Cybersecurity software is highly capable of detecting suspicious files, and as companies become increasingly aware of the need to strengthen their security posture with additional layers of protection, subterfuges to evade detection have become necessary.

Essentially, any cybersecurity software is strong enough to detect most malicious files. Therefore, threat actors are constantly looking for different ways to evade detection, and one of these techniques is using malware hidden in images or photos.

Malware hidden in images

It may sound far-fetched, but it is very real. Malware placed in images of different sizes is the result of steganography, the technique of hiding data in a file to avoid detection. ESET Research discovered that this technique was used by the cyber espionage group Worok, which hid malicious code in image files and extracted only specific pixel information to extract and execute a payload. Please note that this is done on already compromised systems as, as previously mentioned, hiding malware in images is more about evading detection than initial access.

Typically, malicious images are made available on websites or placed in documents. Some may remember adware: code hidden in advertising banners. By itself, the code in the image cannot be run, executed, or extracted independently while it is embedded. Another piece of malware needs to be delivered that will cause the malicious code to be extracted and executed. Here the level of user interaction required is different and how likely someone is to notice malicious activity seems more dependent on the code involved in the extraction than on the image itself.

See also  Samsung Galaxy Z Flip 6 Release Date, Price and Specifications Rumors

The least (most) significant bit(s)

One of the most devious ways to embed malicious code in an image is to replace the least significant bit of each red-green-blue-alpha (RGBA) value of each pixel with a small piece of the message. Another technique is to embed something in an image’s alpha channel (which indicates the opacity of a color), using only a fairly insignificant portion. In this way, the image appears more or less the same as a normal image, making any difference difficult to see with the naked eye.

An example of this was when legitimate ad networks served ads that potentially resulted in a malicious banner being sent from a compromised server. JavaScript code was extracted from the banner using the CVE-2016-0162 vulnerability in some versions of Internet Explorer, to get more information about the target.

Two images.  one of which is fuzzier and hides malicious code

It may seem like both images are the same, but one of them contains malicious code in the alpha channel of the pixels. Notice how the image on the right is strangely pixelated.
(Source: ESET Research)

Malicious payloads extracted from images can be used for various purposes. In the Explorer vulnerability case, the extracted script checked whether it was running on a monitored machine, such as that of a malware analyst. If not, it will be forwarded to a exploit kit landing page. After exploitation, a final payload was used to deliver malware such as backdoors, banking trojans, spyware, file theft and the like.

Three blue photos, the last one hiding dark spots containing malware
From left to right: clean image, image with malicious content and the same malicious image enhanced to highlight the malicious code (source: ESET research)

As you can see, the difference between a clean and a malicious image is quite small. To an ordinary person, the malicious image may look slightly different, and in this case the strange appearance can be attributed to poor image quality and resolution, but the reality is that all those dark pixels highlighted in the image on the right are a sign of malicious code.

See also  Multiple vulnerabilities found in the Forminator WordPress plugin

No reason to panic

You may be wondering if the images you see on social media could contain dangerous code. Keep in mind that images uploaded to social media websites are typically heavily compressed and modified, which would make it very problematic for a threat actor to hide fully preserved and working code within them. This may become clear when you compare what a photo looks like before and after you upload it to Instagram. There are usually clear quality differences.

Most importantly, RGB pixel hiding and other steganographic methods can only be dangerous if the hidden data is read by a program that can extract the malicious code and execute it on the system. Images are often used to hide downloaded malware command and control (C&C) servers to avoid detection by cybersecurity software. In one case, a Trojan called ZeroT, via infected Word documents attached to emails, was downloaded to victims’ machines. However, that’s not the most interesting part. What’s interesting is that it also downloaded a variant of the PlugX RAT (aka Korplug) – using steganography to extract malware from a image of Britney Spears.

In other words, if you are protected against Trojans like ZeroT, you don’t have to worry so much about using steganography.

Finally, any exploit code extracted from images relies on the presence of vulnerabilities for successful exploitation. If your systems are already patched, there’s no chance the exploit will work; That’s why it’s a good idea to always keep your cyber protection, apps and operating systems up to date. Exploitation by exploit kits can be avoided by using fully patched software and using reliable, updated software security solution.

See also  How to display images from your phone on your TV

The same cybersecurity rules apply as always – and awareness is the first step to a more cyber-secure life.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *