With browsers granted so much autonomy in automatically playing embedded videos, GIFs and other images upon loading webpages, cyber-vigilance is necessary
As far back as 2019, there have been reports of hackers embedding malicious code within images.
Called steganography, the technique is used to hiding data within a file to avoid its detection.
In recent times, the Worok cyberespionage group was found to have extracting specific pixel information from pre-formed malicious images to extract a payload to execute on an already compromised system, according to a blog from Márk Szabó, Security Writer, ESET, who noted: “Alone, the code in the image cannot be run, executed, or extracted by itself while embedded. Another piece of malware must be delivered that takes care of extracting the malicious code and running it.”
Szabó added that the level of user interaction required to get the hidden code extracted varies with how likely someone is to notice malicious activity.
Steganography methods
Still do not believe how steganography is possible? Check this out:
- One of the ways to embed malicious code in an image is to replace the least significant bit of each red-green-blue-alpha (RGBA) value of every pixel of the image with one small piece of the message.
- Another technique is to embed something into an image’s alpha channel (denoting the opacity of a color), using only a small portion of the channel to minimize any transparency differences detectable with the naked eye.
- In the CVE-2016-0162 vulnerability in some versions of the now-defunct Internet Explorer, legitimate advertising networks were tricked into serving up ads that potentially led to a malicious banner being sent from a compromised server.
- 48% believed “driving environmentally sustainable innovations” was an important improvement area.
- 79% indicated experimenting with “as-a-Service” solutions to manage their IT environment more efficiently; 76% indicated they were actively moving AI inferencing to the edge to become more energy efficient (e.g., smart buildings).
- 85% of business decision makers in the survey had reasons to exclude IT decision makers from strategic conversations. Both groups ranked a stronger relationship as the second most important improvement area.
Mitigating factors
Considering that images uploaded to social media websites are usually heavily compressed and modified, it would be problematic for a threat actor to hide fully-preserved and intact code in them.
Most importantly, the other mitigating factors are:
- The RGB pixel-hiding and other steganographic methods can only pose a danger when the hidden data is read by a software program that knows exactly how to extract the malicious code from the right places, and then execute the reassembled script on the system.
- Images are often used to conceal malware downloaded from command-and-control servers to avoid detection by cybersecurity software. In one case, a trojan called ZeroT, through infested Word docs attached to emails, was downloaded onto victims’ machines. However, that was not the most interesting part, according to Szabó. The trojan had also downloaded a variant of the PlugX RAT (aka Korplug) — using steganography to extract malware from an image of Britney Spears. In other words, if your systems are protected from trojans like ZeroT, then steganography becomes less of an issue, for now.
- Finally, any exploit code that is extracted from images depends on specific vulnerabilities being already active in the system for successful exploitation. If your systems are already patched, there is no chance for this exploit to work. Hence, it is a good idea to always keep your cyber-protection, apps, and operating systems up to date. Exploitation by exploit kits can be avoided by running fully patched software and using a reliable, updated security solution.
As always, ESET reminds readers that best practices for cyber hygiene always apply and need to be updated and tracked — all-round cyber awareness is the first step toward tighter vigilance.
