Peter Gramantik, a malware researchers from Sucuri has discovered a new way to distribute malware that relies on reading JavaScript code stored in an obfuscated PNG file’s metadata to trigger iFrame injections.
This injection makes it very harder for antivirus detection because the injection method is deeply engrained in the image’s metadata. This iframe can be seen by the browser and Google, nice little technique both for drive-by-download and Search Engine Poisoning (SEP) attacks.
How its done ?
The iFrame calls for a simple JavaScript file, jquery.js that loads a PNG file, dron.png.( codes in screenshot below) Its a basic img file and nothing appears to be wrong. What did catch Gramantik off guard was stumbling upon a decoding loop in the JavaScript. It’s in this code, in this case the strData variable, that he found the crust of the attack.
The iFrame calls upon the image’s metadata to do its malicious work, placing it outside of the browser’s normal viewing area, off the screen entirely, -1000px, as per Gramatik. A negative placement is een on your browser, everything is positive.
The payload can be seen in the elm.src part (above) of the data: A suspicious-looking, Russian website that according to a Google Safe Browsing advisory is hosting two Trojans and has infected 1,000-plus domains over the last 90 days.
Lastly of course we have the payload, which can found on that domain set in the elm.src element.
Why is this Unique ?
“This is unique because in the level of effort being taken to obfuscate the payload. Most scanners today will not decode the meta in the image, they would stop at the JavaScript that is being loaded, but they won’t follow the cookie trail. This also talks to the benefit, at least for attackers, it’s exceptionally difficult to detect.” as per Suckri
All the pictures and articles were courteousy of Suckri
As per threadpost pointed out from a previous article,[ “this strategy isn’t exactly new; Mario Heiderich, a researcher and pen tester at the German firm Cure 53 warned that image binaries in Javascript could be used to hide malicious payloads in his “JavaScript from Hell” con talk back in 2009.”
“Similarly, Saumil Shah, the CEO at Net-Square described how to embed exploits in grayscale images by inserting code into pixel data in his talk, “Deadly Pixels” at NoSuchCon in Paris last year and at DeepSec in Vienna the year before that.
Still though, it appears Gramantik’s research might be the most thought out example of the exploit to date using this kind of attack vector.”]