Cybercriminals are putting a new spin on the old trick of hiding malware code in Exchangeable Image File Format (EXIF) data. Recently, attackers were observed using this technique in image files, rather than text files, and uploading them to googleusercontent.com servers.
In a July 18 company blog post, Sucuri senior malware researcher Denis Sinegubko detailed one such case in which EXIF code from a Pacman .jpg image was used to mask a malicious script that steals PayPal security tokens, uploads web shells and arbitrary files, inserts defacement pages and communicates addresses of exploited websites back to the attacker.
This image was uploaded – likely via a Blogger or Google+ account – onto Google servers, so that it would be readily available for downloading from compromised websites, Sinegubko states.
According to Sucuri, this methodology is more effective that the previous technique of using EXIF in conjunction with text files stored on Pastebin and Github. “Unless you decide to check [the images’] metadata and know how to decode them in each particular case, you’ll have absolutely no idea about their malicious payload,” writes Sinegubko. “Moreover, it’s quite hard to report malware on googleusercontent.com to Google” because “most of their tools require providing links to original posts, pages, or comments that contain the infringing content,” and it’s difficult to ascertain where the images originated from.