Cybersecurity software has grown quite capable of detecting suspicious files, and with businesses becoming increasingly aware of the need to up their security posture with additional layers of protection, subterfuge to evade detection has become necessary.

In essence, any cybersecurity software is strong enough to detect most malicious files. Hence, threat actors continually seek different ways to evade detection, and among those techniques is using malware hidden in images or photos.

Malware hiding in images

It might sound far-fetched, but it is quite real. Malware placed inside images of various formats is a result of steganography, the technique of hiding data within a file to avoid detection. ESET Research spotted this technique being used by the Worok cyberespionage group, who hid malicious code in image files, only taking specific pixel information from them to extract a payload to execute. Do mind that this was done on already compromised systems though, since as mentioned previously, hiding malware inside images is more about evading detection than initial access.

Most often, malicious images are made available on websites or placed inside documents. Some might remember adware: code hidden in ad banners.  Alone, the code in the image cannot be run, executed, or extracted by itself while embedded. Another piece of malware must be delivered that takes care of extracting the malicious code and running it. Here the level of user interaction required is various and how likely someone is to notice malicious activity seems more dependent on the code that is involved with the extracting than on the image itself.

The least (most) significant bit(s)

One of the more devious ways to embed malicious code in an image is to replace the least significant bit of each red-green-blue-alpha (RGBA) value of every pixel with one small piece of the message. Another technique is to embed something into an image’s alpha channel (denoting the opacity of a color), using only a reasonably insignificant portion. This way, the image appears more or less the same as a regular one, making any difference hard to detect with the naked eye.

An example of this was when legitimate advertising networks served up ads that potentially led to a malicious banner being sent from a compromised server. JavaScript code was extracted from the banner, exploiting the CVE-2016-0162 vulnerability in some versions of Internet Explorer, to get more information about the target.

Two images. with one being more blurry, hiding malicious code

It might seem like both pictures are the same, but one of them includes malicious code in the alpha channel of its pixels. Notice how the picture on the right is strangely pixelated. 
(Source: ESET Research)

Malicious payloads extracted from pictures could be used for various purposes. In the Explorer vulnerability case, the extracted script checked whether it was running on a monitored machine — like that of a malware analyst. If not, then it redirected to an exploit kit landing page. After exploitation, a final payload was used to deliver malware such as backdoors, banking trojans, spyware, file stealers, and similar.

Three blue pictures, with the last one hiding dark spots with malware
From left to right: Clean image, image with malicious content, and the same malicious image enhanced to highlight the malicious code (Source: ESET Research)

As you can see, the difference between a clean and a malicious image is rather small. For a regular person, the malicious image might look just slightly different, and in this case, the weird look could be chalked up to poor picture quality and resolution, but the reality is that all those dark pixels highlighted in the picture at the right are a sign of malignant code.

No reason to panic 

You might be wondering, then, whether the images you see on social media could harbor dangerous code. Consider that images uploaded to social media websites are usually heavily compressed and modified, so it would be very problematic for a threat actor to hide fully preserved and working code in them. This is perhaps obvious when you compare how a photo appears before and after you’ve uploaded it to Instagram — typically, there are clear quality differences.

Most importantly, the RGB pixel-hiding and other steganographic methods can only pose a danger when the hidden data is read by a program that can extract the malicious code and execute it on the system. Images are often used to conceal malware downloaded from command and control (C&C) servers to avoid detection by cybersecurity software. In one case, a trojan called ZeroT, through infested Word docs attached to emails, was downloaded onto victims’ machines. However, that’s not the most interesting part. What’s interesting is that it also downloaded a variant of the PlugX RAT (aka Korplug) — using steganography to extract malware from an image of Britney Spears.

In other words, If you are protected from trojans like ZeroT, then you do not need to care as much about its use of steganography.

Finally, any exploit code that is extracted from images depends on vulnerabilities being present for successful exploitation. If your systems are already patched, there is no chance for the exploit to work; hence, it is a good idea to always keep your cyber-protection, apps, and operating systems up to date. Exploitation by exploit kits can be avoided by running fully patched software and using a reliable, updated security solution.

The same cybersecurity rules apply as always — and awareness is the first step toward a more cyber secure life.