Image File Malware Techniques: Embedding Code Into Images
Explore how hackers embed malware in image files using techniques like pixel manipulation and steganography, plus methods for detection and prevention.
Image File Malware Techniques
Hackers can hide malware in image files using techniques such as altering pixels in a JPEG photo to embed malicious code, making subtle color value differences between altered and unaltered pixels that are undetectable to the human eye, hiding a payload within the code itself, calling other executables for an attack, and appending text strings to the end of a file without changing the visual appearance of the image (HackerNoon, SentinelOne).
Hackers embed malicious code into image files by hiding the code within the pixels of the image, extracting specific pixel information to execute the payload. This technique has been observed in cyberespionage groups such as Worok, who use it to evade detection on compromised systems. Malicious images are often distributed on websites or inserted into documents. The code embedded in the image cannot be run or executed on its own; a separate malware must be used to extract and execute the hidden code. Various methods can be used to embed malware into images, such as attaching it to the end of a file, making slight tweaks to bits of the code, or altering metadata associated with the file (Ruchir R, David Artykov, Gizmodo).
The process of steganography involves embedding malicious code within the pixels of an image without altering its visual appearance, using sophisticated methods to ensure the hidden message remains undetected. Threat actors utilize steganographic techniques to conceal malware within seemingly innocent files, allowing them to bypass traditional antivirus software and successfully exfiltrate user data or deliver malicious payloads (SentinelOne, Protectstar).
Hackers extract or execute malware hidden in image files by embedding malicious code, which is then extracted using another piece of malware that is delivered to the compromised system. The embedded malware code is not capable of running or being executed on its own; it requires a separate malware to extract and execute it. The level of user interaction required for this process varies, with the effectiveness of evading detection relying more on the code used for extracting the malware rather than the image itself (Ruchir R, WeLiveSecurity).
Image File Vulnerabilities and Detection
Common file formats that can be used to hide malware include ZIP and RAR archives, as cybercriminals often conceal malware within these types of files (Kaspersky). Additionally, archive files such as ZIP and RAR files have surpassed Microsoft Office files as the most common way to distribute malware, with 44% of all malware delivered in Q3 2022 using this format (TechRadar). Malware distributors may also use lesser-known compression or archive types in the hope that their obscurity will keep them off lists of file types to block (Barracuda).
Hackers can exploit vulnerabilities in image processing software by executing arbitrary code hidden inside image files that users upload. This allows attackers to make a web server execute the code they choose, giving them control over websites using the software (Cloudflare, Ars Technica). Another technique is disguising malware as legitimate image files, which when uploaded, can upload a malicious file onto the server (Ars Technica).
Signs that can indicate the presence of malware in image files include hiding within the image file, using signature-based or heuristic methods for detection at the network level, utilizing SHA or MD5 checksum for large file sizes, inspecting data added to the image file with tools like PE viewer or debugger, exploring EXIF tags for hidden code or malicious activity, examining metadata fields related to the image such as camera model, date, time, or geolocation for potential malware, and searching for images containing PHP code in EXIF tags as a starting point for identifying malware (IntechOpen, ReversingLabs).
Security researchers detect and analyze image files containing hidden malware through methods such as using antivirus programs with signature-based detection to identify known viruses, employing heuristic methods to detect suspicious activities indicative of malware, checking EXIF tags in images for hidden malware, and utilizing tools like SHA or MD5 checksums to verify the integrity of large files (IntechOpen, ReversingLabs).
Social Engineering and Malware Concealment
Hackers use social engineering techniques to trick users into downloading image files with hidden malware by making the malicious images available on websites or placing them inside documents that users are likely to interact with. They may disguise the image files as something appealing or important to the users, such as ad banners or attractive content, to increase the likelihood of them being downloaded or opened. This manipulation of human psychology aims to deceive users into unwittingly exposing their systems to the hidden malware, taking advantage of their trust or curiosity to bypass security measures and evade detection (Ruchir R).
Hackers ensure that the image file remains visually unchanged after embedding malware by taking specific pixel information from the image file to extract a payload to execute (Ruchir R). They can achieve this by attaching the malware code to the end of a file, making slight tweaks to individual bits of the code, or altering the metadata associated with the file (Gizmodo). By using these techniques, hackers can hide malware in images without visibly altering the appearance of the image.
Prevention and Real-life Examples
Regularly update security solutions to increase awareness of threats, including those involving hiding malware in image formats like PNG, BMP, GIF, or JPEG (ReversingLabs). Implement steganography detection techniques to identify hidden data within image files to avoid detection of malware (WeLiveSecurity). Educate users on the risks associated with downloading images from untrusted sources or opening suspicious documents containing images to prevent malware execution on systems (Ruchir R).
One real-life example of a cyber attack involving malware hidden in image files is the case of the Worok cyberespionage group discovered by ESET Research. This group hid malicious code in image files using steganography techniques, taking specific pixel information from the images to extract a payload for execution. It is important to note that this technique was used on already compromised systems to evade detection, rather than for initial access (WeLiveSecurity). Another example is the use of steganography by the LokiBot malware, which employs Trojan malware to steal sensitive information by hiding malware in images and an executable file (HackerNoon).
The integration of malware into image files through techniques such as steganography, pixel manipulation, and metadata alteration presents a significant security challenge. These methods enable cybercriminals to bypass traditional detection mechanisms and exploit vulnerabilities within image processing software and social engineering tactics. The legal ramifications of distributing malware through such deceptive means are substantial, potentially leading to criminal charges and civil liabilities. To mitigate these risks, it is crucial to enhance security protocols, utilize advanced detection methods, and increase user awareness about the dangers of interacting with unsourced or suspicious image files. Real-life incidents involving groups like Worok and malware such as LokiBot illustrate the sophisticated nature and potential impact of these cyber threats, underscoring the need for continuous vigilance and improvement in cybersecurity strategies.
References
- Ars Technica. Exploits gone wild: Hackers target critical image-processing bug. Retrieved from https://arstechnica.com/information-technology/2016/05/exploits-gone-wild-hackers-target-critical-image-processing-bug/
- Barracuda. Malware 101: File type evasion techniques. Retrieved from https://blog.barracuda.com/2023/11/17/malware-101-file-type-evasion
- Cloudflare. Inside ImageTragick: The Real Payloads Being Used to Hack Websites. Retrieved from https://blog.cloudflare.com/inside-imagetragick-the-real-payloads-being-used-to-hack-websites-2
- Gizmodo. How Malware Hides in Images and What You Can Do About It. Retrieved from https://gizmodo.com/malware-images-virus-photos-pictures-how-block-antiviru-1849572516
- HackerNoon. Steganography: How Hackers Hide Malware in Images. Retrieved from https://hackernoon.com/steganography-how-hackers-hide-malware-in-images-zh1p3723
- IntechOpen. Malware: Detection and Defense. Retrieved from https://www.intechopen.com/chapters/84686
- Kaspersky. Top 4 dangerous attachments in spam e-mails. Retrieved from https://www.kaspersky.com/blog/top4-dangerous-attachments-2019/27147/
- Ruchir R. Beyond Phishing: The Truth About Malware in Pictures. Retrieved from https://www.linkedin.com/pulse/beyond-phishing-truth-malware-pictures-ruchir-r--ndspe
- David Artykov. Embedding malicious codes/payloads into any file types (method-1). Retrieved from https://medium.com/purple-team/embedding-malicious-codes-payloads-into-any-file-types-method-1-f001f8823ebb
- Protectstar. Hiding in Plain Sight: How Malware Can Be Concealed Using Steganography in Images?. Retrieved from https://www.protectstar.com/en/blog/hiding-in-plain-sight-how-malware-can-be-concealed-using-steganography-in-images
- ReversingLabs. Malware in images: When you can’t see ‘the whole picture’. Retrieved from https://www.reversinglabs.com/blog/malware-in-images
- SentinelOne. Hiding Code Inside Images: How Malware Uses Steganography. Retrieved from https://www.sentinelone.com/blog/hiding-code-inside-images-malware-steganography/
- TechRadar. These are the file types most likely to be hiding malware. Retrieved from https://www.techradar.com/news/these-are-the-file-types-most-likely-to-be-hiding-malware
- WeLiveSecurity. Malware hiding in pictures? More likely than you think. Retrieved from https://www.welivesecurity.com/en/malware/malware-hiding-in-pictures-more-likely-than-you-think/
One real-life example of a cyber attack involving malware hidden in image files is the case of the Worok cyberespionage group discovered by ESET Research. This group hid malicious code in image files using steganography techniques, taking specific pixel information from the images to extract a payload for execution. It is important to note that this technique was used on already compromised systems to evade detection, rather than for initial access (WeLiveSecurity). Another example is the use of steganography by the LokiBot malware, which employs Trojan malware to steal sensitive information by hiding malware in images and an executable file (HackerNoon).
In conclusion, the integration of malware into image files through techniques such as steganography, pixel manipulation, and metadata alteration presents a significant security challenge. These methods enable cybercriminals to bypass traditional detection mechanisms and exploit vulnerabilities within image processing software and social engineering tactics. The legal ramifications of distributing malware through such deceptive means are substantial, potentially leading to criminal charges and civil liabilities. To mitigate these risks, it is crucial to enhance security protocols, utilize advanced detection methods, and increase user awareness about the dangers of interacting with unsourced or suspicious image files. Real-life incidents involving groups like Worok and malware such as LokiBot illustrate the sophisticated nature and potential impact of these cyber threats, underscoring the need for continuous vigilance and improvement in cybersecurity strategies. ## References — Ars Technica. Exploits gone wild: Hackers target critical image-processing bug. Retrieved from https://arstechnica.com/information-technology/2016/05/exploits-gone-wild-hackers-target-critical-image-processing-bug/ — Barracuda. Malware 101: File type evasion techniques. Retrieved from https://blog.barracuda.com/2023/11/17/malware-101-file-type-evasion — Cloudflare. Inside ImageTragick: The Real Payloads Being Used to Hack Websites. Retrieved from https://blog.cloudflare.com/inside-imagetragick-the-real-payloads-being-used-to-hack-websites-2 — Gizmodo. How Malware Hides in Images and What You Can Do About It. Retrieved from https://gizmodo.com/malware-images-virus-photos-pictures-how-block-antiviru-1849572516 — HackerNoon. Steganography: How Hackers Hide Malware in Images. Retrieved from https://hackernoon.com/steganography-how-hackers-hide-malware-in-images-zh1p3723 — IntechOpen. Malware: Detection and Defense. Retrieved from https://www.intechopen.com/chapters/84686 — Kaspersky. Top 4 dangerous attachments in spam e-mails. Retrieved from https://www.kaspersky.com/blog/top4-dangerous-attachments-2019/27147/ — Ruchir R. Beyond Phishing: The Truth About Malware in Pictures. Retrieved from https://www.linkedin.com/pulse/beyond-phishing-truth-malware-pictures-ruchir-r--ndspe — David Artykov. Embedding malicious codes/payloads into any file types (method-1). Retrieved from https://medium.com/purple-team/embedding-malicious-codes-payloads-into-any-file-types-method-1-f001f8823ebb — Protectstar. Hiding in Plain Sight: How Malware Can Be Concealed Using Steganography in Images?. Retrieved from https://www.protectstar.com/en/blog/hiding-in-plain-sight-how-malware-can-be-concealed-using-steganography-in-images — ReversingLabs. Malware in images: When you can’t see ‘the whole picture’. Retrieved from https://www.reversinglabs.com/blog/malware-in-images — SentinelOne. Hiding Code Inside Images: How Malware Uses Steganography. Retrieved from https://www.sentinelone.com/blog/hiding-code-inside-images-malware-steganography/ — TechRadar. These are the file types most likely to be hiding malware. Retrieved from https://www.techradar.com/news/these-are-the-file-types-most-likely-to-be-hiding-malware — WeLiveSecurity. Malware hiding in pictures? More likely than you think. Retrieved from https://www.welivesecurity.com/en/malware/malware-hiding-in-pictures-more-likely-than-you-think/
