Threat Management, Malware, Network Security

Attackers concealing malware in images uploaded to Google servers

Cybercriminals are putting a new spin on the old trick of hiding malware code in Exchangeable Image File Format (EXIF) data. Recently, attackers were observed using this technique in image files, rather than text files, and uploading them to googleusercontent.com servers.

In a July 18 company blog post, Sucuri senior malware researcher Denis Sinegubko detailed one such case in which EXIF code from a Pacman .jpg image was used to mask a malicious script that steals PayPal security tokens, uploads web shells and arbitrary files, inserts defacement pages and communicates addresses of exploited websites back to the attacker. 

This image was uploaded – likely via a Blogger or Google+ account – onto Google servers, so that it would be readily available for downloading from compromised websites, Sinegubko states.

According to Sucuri, this methodology is more effective that the previous technique of using EXIF in conjunction with text files stored on Pastebin and Github. "Unless you decide to check [the images'] metadata and know how to decode them in each particular case, you'll have absolutely no idea about their malicious payload," writes Sinegubko. "Moreover, it's quite hard to report malware on googleusercontent.com to Google" because "most of their tools require providing links to original posts, pages, or comments that contain the infringing content," and it's difficult to ascertain where the images originated from.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.