Stealthy Malware Hidden in Images Takes to GoogleUserContent

Malware that uses Exchangeable Image File Format (EXIF) data to hide its code has migrated to a new platform: GoogleUserContent sites, such as Google+ and blogger forums.

In this technique, previously seen on Pastebin and GitHub, hackers embed malicious code within uploaded images – a stealthy approach, since images are rarely scanned for malware, researchers at Sucuri said on Thursday.

These scripts can weaponize the website by uploading a predefined web shell or arbitrary files, placing defacement pages, establishing backdoors and more, and then can email the addresses of successfully exploited sites back to the attacker. The migration to Google exacerbates the pervasiveness of the problem.

More specifically, the code is injected into the technical EXIF metadata within the website images; EXIF headers are generated automatically by digital cameras to record camera information in the headers of JPEG and TIFF files. Hackers can access EXIF data for existing images by capitalizing on any vulnerabilities found within the website that expose its coding. From there, they can inject malicious scripts.

The malware succeeds in hiding in plain sight given that it’s injected into legitimate images that are already part-and-parcel of the sites in question. Attackers can compromise these, but they will still load and work properly, offering no tip-off to the webmaster or site visitors that something’s amiss.

“Unless you decide to check their metadata and know how to decode them in each particular case, you’ll have absolutely no idea about their malicious payload,” the Sucuri researchers said. “It’s hard to say where the images originate from, as their URLs are anonymized and have the same format.”

This type of malware infection (a form of steganography) is potentially possible on any site with downloadable images, not just sites that were generated within the GoogleUserContent system. However, the evolution of the technique to Google is a more severe problem, for two reasons: One, Google images are widely downloaded and used (and trusted); and two, it’s harder to report any exposed malware infections within that system, according to Securi.

To the first point: To spread their influence, hackers will try to gain access to popular images or get their own, already-weaponized images uploaded and publicly distributed on trusted sites. In migrating the approach to Google, “we see that the main goal is to host malicious scripts on a reliable and trusted server so that they are always available for downloading from any compromised sites,” explained Sucuri researcher Denis Sinegubko, in a posting on Thursday. “It could be an image uploaded for a blogger post, Google+ post or even a public picture from Google photos.”

Anyone that downloads the image and utilizes it on their site will then be compromised, the researcher told Threatpost in an email interview. “The hacker simply has to wait for reports from that particular infected image and attack any sites that are using it,” he said. “Because of this, it is indeed possible for sites outside of the GoogleUserContent system to be infected.”

The attack can also be taken further. Meni Farjon, co-founder and CTO at Israel-based Solebit, told Threatpost that another unique and evasive way that attackers are using malicious code inside images uploaded to GoogleUserContent is by serving them as part of Office Documents. These remote images are loaded automatically once a user opens up a Word document.

“Those images hide malicious JavaScript code, which can then execute the code as part of exploitation such as ,” Farjon explained. The images look normal, but a closer look reveals malicious code; in one sample, it was aimed at downloading an additional two-stage malware from a remote C&C server and then executing it.

“In order to detect these kind of attacks, Google needs to adopt better anti-malware techniques, specifically in the area of content analysis and, so that they would be able to prevent those type of files being uploaded to and better protect the users which can be victimized by this,” Farjon told us.

Moreover, Google has many tools to remove content but it’s not obvious how to report malware in images. As a result, malware in images uploaded to Google’s servers is harder to report and take down, Securi’s analyst told us.

“Most of their tools require providing links to original posts, pages or comments that contain the infringing content,” Sinegubko said.

The good news is that this technique is hard to produce on a mass level – widespread website infections would require automation and the specific exploitation of vulnerabilities on a specific site.

That’s not to say vigilance isn’t required.

“The most notable thing about this type of attack is that it can be found virtually everywhere on the internet and like most malware attacks, it is generally random – so popular sites are just as vulnerable as new, small or private sites,” Sinegubko said. “We live in a world where there are dangers all around us – some visible, and some invisible.”

Webmasters can minimize the attack surface against these types of threats by keeping up-to-date with security patches, using strong passwords and an application firewall, and monitoring the integrity of the files on the servers.

Average web surfers need to be aware of the dangers too, according to Mukul Kumar, CISO and vice president of Cyber Practice at Cavirin.

“Separate from ensuring the website is secured, end users must also assume that no file or image is safe,” Kumar told Threatpost. “This requires training on how to ensure one’s cyber-posture. Don’t download images from unknown sources, and in the same way that mail is many times filtered, we’ll see more of the same for images. Unfortunately, though larger enterprises many times implement these best practices, these are not as widely deployed by small businesses and individuals.”