posted on  by 

PNG Image Metadata leads to New iFrame Injections

Filed under  Application Security, Malware, Microsoft Malware, Mobile Malware, Security Research
0

new_iframePeter Gramantik, a malware researchers from Sucuri has discovered a new way to distribute malware that relies on reading  JavaScript code stored in an obfuscated PNG file’s metadata to trigger iFrame injections.

This injection makes it very harder for antivirus detection because the injection  method is  deeply engrained in the image’s metadata. This iframe can be seen by the browser and  Google, nice little technique both for drive-by-download and Search Engine Poisoning (SEP) attacks.

How its done ? 

The  iFrame calls for a simple JavaScript file, jquery.js that loads a PNG file, dron.png.( codes in screenshot below)  Its a basic img file and nothing appears to be wrong.  What did catch Gramantik off guard was stumbling upon a decoding loop in the JavaScript. It’s in this code, in this case the strData variable, that he found the crust of the attack.

iframe_injection

 

The iFrame calls upon the image’s metadata to do its malicious work, placing it outside of the browser’s normal viewing area, off the screen entirely, -1000px, as per Gramatik.  A negative placement is een on  your browser, everything is positive.

sucuri-png-iframe-payload

The payload can be seen in the elm.src part (above) of the data: A suspicious-looking, Russian website that according to a Google Safe Browsing advisory is hosting two Trojans and has infected 1,000-plus domains over the last 90 days.

Lastly of course we have the payload, which can found on that domain set in the elm.src element.

Why is this Unique ?

“This is unique because in the level of effort being taken to obfuscate the payload. Most scanners today will not decode the meta in the image, they would stop at the JavaScript that is being loaded, but they won’t follow the cookie trail. This also talks to the benefit, at least for attackers, it’s exceptionally difficult to detect.” as per Suckri

All the pictures and articles were courteousy of Suckri

As per threadpost pointed out from a previous article,[ “this strategy isn’t exactly new; Mario Heiderich, a researcher and pen tester at the German firm Cure 53 warned that image binaries in Javascript could be used to hide malicious payloads in his “JavaScript from Hell” con talk back in 2009.”

“Similarly, Saumil Shah, the CEO at Net-Square described how to embed exploits in grayscale images by inserting code into pixel data in his talk, “Deadly Pixels” at NoSuchCon in Paris last year and at DeepSec in Vienna the year before that.

Still though, it appears Gramantik’s research might be the most thought out example of the exploit to date using this kind of attack vector.”]

Share Button
Tagged with 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>