The malvertising space may be seeing an influx of more advanced threat actors according one research report that found polyglot images now being used to disguise malvertising attacks.
Polyglot images, which differ from their near cousins steganographic images primarily by not needing an external script to extract the payload, have been spotted in the wild, said researchers at Devcon. The researchers noted that using polyglot images is not a new method of attack. Similar JS/GIF polyglots have been shown in proof of concept tests to work around a server's Content Security Policy to execute XSS attacks.
“This may indicate that more advanced groups are now moving into the ad fraud space to exploit users,” the report said.
The incidents spotted by Devcon saw the malicious actors using .bmp images as their camouflage and trick a system into accepting the image by manipulating the size of the image and hexadecimal characters by making the computer believe it is looking at something benign.
“This attack has many layers and new techniques to attempt to hide what it's true nature is and to hinder white hat reverse engineers from figuring out exactly how it works,” Devcon said.