An unusual steganographic technique that an attacker can use to implant a malicious webshell on unsuspecting websites has been spotted in Latin America. According to research from Trustwave shared exclusively with Threatpost, a forensic investigation showed that an adversary is implanting PHP code into JPEG files’ EXIF headers in order to upload malware onto targeted websites.
Hiding malware in an image file is a well-known way to circumvent detection –many filters and gateways let image file formats pass without too much scrutiny. But the unique benefit of this specific technique is that it can be used to compromise even a fully patched, up-to-date website with no obvious vulnerabilities – just by uploading an image to a website.
“PHP provides a nice function that allows you to read out and parse EXIF data, so if you target a website that allows you to upload images and also uses PHP scripts, you can essentially upload any malware you want,” explained Karl Sigler, a security research manager at Trustwave SpiderLabs.
He added, “Web-based firewalls and malware scanners and the like tend to whitelist image files. This is pretty smart, and we don’t see this technique that often.”
EXIF, or Exchangeable Image Format, is a standard that specifies the characteristics of images, sound and ancillary tags used by digital cameras, scanners and other devices – things like file name, size, resolution and so on. PHP has a built-in function for extracting that image EXIF metadata and reading it — for instance, as an accessibility feature for the visually impaired.
threatpost.com
