The malware targets trusted Google sites.
The metadata fields of images uploaded on trusted Content Delivery Network (CDN) of Google have been embedded with malicious code by hackers to compromise websites. This approach is indeed damaging because users never scan images for malware.
The injected malware uses EXIF (Exchangeable Image File) format to hide the code and the compromised images are available on official Google sites including Google+ social network, GoogleUserContent sites, and blogger forums such as Blogger.com.
A similar scheme was previously observed on GitHub and Pastebin where cybercriminals managed to hide malware in the uploaded images. But the latest campaign surpasses its predecessors. The campaign was discovered by cyber-security firm Sucuri and the findings were disclosed on Thursday. It is worth noting that Sucuri is now acquired by GoDaddy.
Security researcher Denis Sinegubko at Sucuri identified the malware distribution scheme, which was using GoogleUserContent CDN to host one of the infected images. So when any such image is downloaded, the malware will immediately infect the site. The attacker only has to wait for a report from the infected images and then launch attacks against the sites that have been compromised.
Because of this, it is indeed possible for sites outside of the GoogleUserContent system to be infected, assessed Sinegubko.
In his report published on Wednesday, Sinegubko wrote that the identified campaign’s focus was on stealing PayPal security tokens with the intention of bypassing PayPal authentication process.
Hackers loaded an image that was hosted by Google’s CDN and using steganography technique, they managed to embed malware in it. What happens in steganography is that hackers extract the file and hide malicious code in image’s User Comment EXIF metadata field. The code used in this campaign is a Base64-encoded string.
When this string is decoded more than once, it transforms into a script that can upload a predefined web shell on the targeted server with other files. The web shell was now capable of defacing the server and the attacker could receive the addresses of sites that were exploited successfully.
Executing code from EXIF data (Image credit: Sucuri)
Sinegubko claims that the hiding of malware into the EXIF files wasn’t too concerning for him; what was far more worrying was that hackers were utilizing GoogleUserContent CDN to fulfill their nefarious objectives. It is quite a novel idea that definitely will give restless nights to security researchers.
The reason for concern is that there isn’t any standard way to notify Google about the infected image because the company has implemented a reporting process for copyright infringement and not for security-related issues. Sinegubko writes:
“Google has many tools to remove content but it’s not obvious how to report malware in images. Most of their tools require providing links to original posts, pages, or comments that contain the infringing content. The image here is not a part of some known public content.”
The source of the malware upload couldn’t be identified by the researchers. “It’s hard to say where the images originate from, as their URLs are anonymized and have the same format,” explained researchers at Sucuri.
