Blank Image Attack: Blank Images Used to Evade Anti-Malware Checks

The Blank Image Attack also bypasses VirusTotal detection.

Researchers at Avanan have discovered a newly detected Blank Image Attack, in which hackers are hiding malicious scripts in black image files.

According to Check Point Software company Avanan researchers, a new attack tactic is designed to lure innocent users into giving away their assets. It has been dubbed a Blank Image attack, and the targets are spread across the globe.

In this new phishing scam, hackers send blank images in HTML attachments. When the recipient opens the attachment, they are redirected to a malicious landing page that delivers malware.

Researchers reported that attackers have now learned how to bypass antivirus services such as VirusTotal and implant malware in Blank images. Avanan’s cybersecurity researcher, Jeremy Fuchs, noted that scammers could easily target anyone using this tactic as the objective is to obtain something from the user.

“Any user with access to credentials or money is a viable target,” Fuchs noted.

How Does the Attack Work?

As per the findings, this phishing attack targets the victim via email. The email includes a document purportedly sent from DocuSign, which contains a link that takes the victim to the electronic agreement management service’s official website if they click the button “View Completed Document.”

This is interesting as the link redirects the victim to the legit landing page of DocuSign, so they are tricked into trusting the email. The danger, however, lies in the HTML or .htm attachment that’s a part of the DocuSign link, as this attachment contains an SVG image.

The phishing documents (Credit: Avanan)

This image is encoded using Base64- a binary-to-text encoding program. This is an empty image, but the file has an active JavaScript that redirects the victim to the malicious link. Since this is a blank image, nothing appears on the screen. It is only used to serve the malicious script to bypass antivirus services.

If you want to stay safe, avoid opening any attachments with the extension .htm, and it is recommended that administrators block HTML attachments.

Related Posts