Rare Steganography Hack Can Compromise Fully Patched Websites

Attackers are hiding PHP scripts in EXIF headers of JPEG images to hack websites, just by uploading an image.

An unusual steganographic technique that an attacker can use to implant a malicious webshell on unsuspecting websites has been spotted in Latin America. According to research from Trustwave shared exclusively with Threatpost, a forensic investigation showed that an adversary is implanting PHP code into JPEG files’ EXIF headers in order to upload malware onto targeted websites.

Hiding malware in an image file is a well-known way to circumvent detection –many filters and gateways let image file formats pass without too much scrutiny. But the unique benefit of this specific technique is that it can be used to compromise even a fully patched, up-to-date website with no obvious vulnerabilities – just by uploading an image to a website.

“PHP provides a nice function that allows you to read out and parse EXIF data, so if you target a website that allows you to upload images and also uses PHP scripts, you can essentially upload any malware you want,” explained Karl Sigler, a security research manager at Trustwave SpiderLabs.

He added, “Web-based firewalls and malware scanners and the like tend to whitelist image files. This is pretty smart, and we don’t see this technique that often.”

This image was seen carrying a malware dropper in a campaign in Latin America.

EXIF, or Exchangeable Image Format, is a standard that specifies the characteristics of images, sound and ancillary tags used by digital cameras, scanners and other devices – things like file name, size, resolution and so on. PHP has a built-in function for extracting that image EXIF metadata and reading it — for instance, as an accessibility feature for the visually impaired.

“It’s likely that a website offers the ability to upload images and also has an existing PHP file that allows the site to parse out the EXIF data,” Sigler explained. “In that situation, it would be a matter of uploading the malicious image and triggering the hidden PHP code in the EXIF by using the existing PHP file that the website uses to read that EXIF data. It’s simply a matter of finding a website with one that allows the attacker to point it at their malicious uploaded data.”

He said that the EXIF-reading PHP function is extremely common in multiple pre-packaged website tools and website plugins, so it’s not that difficult of an attack to pull off if one understands how PHP works.

“I would say you would need moderate expertise,” Sigler said. “You don’t have to have coding experience or use any special tools, you just need to understand PHP. And make use of a free online tool to manipulate the EXIF data. There are a lot of them out there.”

He added that while the technique is not new (and steganography in general is certainly not as unusual as it once was) it is, however, rare. The last known instance of similar technique was seen in the wild in 2013, Sigler explained (Sucuri found a similar campaign that same year).

The attack has become more refined, as well. In that previous case, the entire webshell backdoor was hidden in the header. Fast-forward five years, and the approach has been modified to use a staging method. The malware in the JPEG image is just a first-stage dropper – once executed, it then downloads the full webshell from an external host.

“Technically the first stage is not really malware itself, it’s just downloading something,” Sigler said. “That makes the file smaller and easier to manipulate, so it’s less of a red flag for defenses. If you have a JPEG image that’s 100K in size – well that’s probably just a JPEG. But if it’s 25 megs – you may want to look at that a little closer.”

He added that Trustwave has seen this technique used in targeted campaigns, largely against e-commerce sites in Latin America.

“Websites tend to be riddled with holes anyway – if you use a common CMS package like Joomla! or WordPress and you don’t keep it up to date, there are easier ways in,” Sigler said, noting that Trustwave has yet to do a code audit on such websites that finds no vulnerabilities. “However, if you do have everything patched and there’s no low-hanging fruit for the attacker in terms of compromising a site, this is a little more advanced of a technique that can get you in.”

The effort, he added, is worth it to adversaries going after lucrative e-commerce sites, since the market for data taken from online transactions, a.k.a. card-not-present data, is booming.

“We have seen a big spike in card-not-present data showing up for sale,” he said. “Much more of that than data skimmed at brick-and-mortar stores. This campaign confirms a lot of things, including the fact that e-commerce sites still an extremely juicy target, which makes sense because that’s where the market is right now.”

To protect themselves, website owners can first and foremost scan for PHP tags in image files; if present, the images should be examined. Disabling image uploads if they’re not strictly necessary would also of course mitigate the threat.

“Not whitelisting those image files but looking at those for malicious code is a great step,” he said. “Also, if suddenly you have unauthorized PHP files on your website, that’s a red flag.”

 

Suggested articles

Discussion

  • hugo on

    The author fails to understand how this attack works. It has absolutely nothing to do with EXIF reading/parsing method in PHP. Please do better research on the topic at hand.
    • Tara Seals on

      Please elaborate. The details are per Trustwave researchers _ I can ask them about your assessment.
  • Ffs on

    This is a very well known technique ... it’s thought in the most basic of pen testing classes and seen in CTFs across the industry. Review your sources...
    • Tara Seals on

      As noted in the article, it's not an unknown technique, but researchers said that it's rare to see it in the wild.
  • Lee on

    This is research from 2013? https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hiding-webshell-backdoor-code-in-image-files/
    • Tara Seals on

      Hi Lee -- as I noted in the article (with a link to that same blog), they first saw this in 2013, but it hasn't resurfaced since then. Trustwave researchers told me that this particular technique is quite rare, which is why its reappearance now is notable.
  • Beps Engineering on

    It's impressive. The more we go on, the more the hacking techniques become refined...
  • John Andrews on

    Only worthless idiots have used WordPress or visited any websites that use it.
  • CC on

    And of course YOU know what the site is made on BEFORE you visit it.
  • Laura on

    Have a look: [Techjury external link removed]. We do our best to guide our clients away from WP, or to use it safely if they must, but in our segment of the market (small-med business & nonprofit) it is especially huge, and hard to avoid.
  • anti PHP rhetoric on

    In what way should a "fully patched" CMS, regardless of the programming language or CMS used, be vulnerable to this attack? If the site is executing code injected by a user by whatever method, that is completely unacceptable, and an exploit... Thus, the site should not be considered "fully patched", and the resulting tools or libraries parsing EXIF headers should be considered compromised
  • Brian on

    I came here thinking I was gonna read about dinosaurs and then realized I misread the title of the article after reading the whole thing! Stegosaurus =/= Steganography
  • Joe Deer on

    Unless I'm getting this completely wrong, this technique does not provide the attackers with any new way of compromising websites. This is a technique to hide the malicious payload AFTER compromising the site by other means. This, I believe, is what the author of the article fails to understand, and also the reason why this article should have nothing to do with whether the server is "fully patched". Having said that, if I'm missing anything, please let me know!

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.