IT Security Outsourced IT

Malicious Images

What are Malicious Images?

There are innumerable cybersecurity threats out there, but you may be surprised to learn that images are among them. Image steganography refers to the practice of representing information within another image in such a way that the information is not evident to human inspection. The standard JPEG photo contains several megabytes of pixel data, and one method that cyberattackers can use is to alter some of these pixels to conceal parts of ransomware code, to carry cryptominers, or to embed malicious code. Almost any image format can be edited to conceal malware. Image steganography attacks are very easy to implement, with DIY toolkits and free apps being widely available. Examples of malware using steganography include1:

  • AdGholas. Hides malicious JavaScript in image, text, and HTML files
  • Cerber. Embeds malicious code in image files
  • DNSChanger. Uses PNG LSBs to hide malware AES encryption key
  • Stegano. PNG formatted banner ads containing malicious code
  • Stegoloadr (aka ‘Lurk’). Uses both steganography and cryptography to conceal an encrypted URL to deliver later stage payloads
  • Sundown. White PNG files are used to conceal exploit code or exfiltrate user data
  • SyncCrypt. Ransomware that hides part of its core code in image files
  • TeslaCrypt. HTML comment tags in an HTTP 404 error page contain C2 server commands
  • Vawtrak (aka ‘Neverquest’). Hides a URL in the LSBs of favicons in order to download a malicious payload
  • VeryMal. Malware targets macOS users with malicious javascript embedded in white bar
  • Zbot. Appends data to the end of a JPEG file containing hidden data
  • ZeroT. Chinese malware that uses steganography to hide malware in an image of Britney Spears

Some examples of the malicious image techniques include:

Stegosploit. Stegosploit refers to the practice of hiding malicious code or malware within an image’s pixels. The script in the pixels in a stegosploit attack can execute malicious code, download malicious attachments, or upload data, all while the image appears to be unaltered to the human eye.

Double extension. A double extension attack occurs when cyberattackers alter the names of extensions to trick a user into clicking on them and downloading malware. An example of a double extension would be a malicious file appearing to a user as image.jpg, but in reality the full file name was image.jpg.exe, and when the user clicked on it they would be unwittingly downloading malware or ransomware.

Spam images. Cyberattackers can send emails that prompt users to take an action such as clicking on a malicious link or downloading a malicious file, and may use images in order to catch users’ attention or to distract them. In this case the image itself is not dangerous, but it is a dangerous distraction. Users can prevent this by disabling automatic image downloading or simply turning images off in the email provider settings.

The following tips can help to detect and protect you from image stenography attacks:

  • Look for minor color variations between two images
  • Look for a high percentage of duplicate colors
  • A suspicious image that is bigger than the actual image can be a sign that information is being hidden
  • Pay attention to all images and use image editing tools to detect steganography clues in the minor color variations
  • Use anti-malware software to look for “binders” (applications used to combine two files into one file)
  • Observe outbound traffic
  • Install software with reliable signatures
  • Implement steganography application usage controls

1 SentinelOne, 2019, “Hiding Code Inside Images: How Malware Uses Steganography”