An unusual steganographic technique that an attacker can use to implant a malicious webshell on unsuspecting websites has been spotted in Latin America. According to research from Trustwave shared exclusively with Threatpost, a forensic investigation showed that an adversary is implanting PHP code into JPEG files’ EXIF headers in order to upload malware onto targeted websites.
Hiding malware in an image file is a well-known way to circumvent detection –many filters and gateways let image file formats pass without too much scrutiny. But the unique benefit of this specific technique is that it can be used to compromise even a fully patched, up-to-date website with no obvious vulnerabilities – just by uploading an image to a website.
“PHP provides a nice function that allows you to read out and parse EXIF data, so if you target a website that allows you to upload images and also uses PHP scripts, you can essentially upload any malware you want,” explained Karl Sigler, a security research manager at Trustwave SpiderLabs.
He added, “Web-based firewalls and malware scanners and the like tend to whitelist image files. This is pretty smart, and we don’t see this technique that often.”
EXIF, or Exchangeable Image Format, is a standard that specifies the characteristics of images, sound and ancillary tags used by digital cameras, scanners and other devices – things like file name, size, resolution and so on. PHP has a built-in function for extracting that image EXIF metadata and reading it — for instance, as an accessibility feature for the visually impaired.
“It’s likely that a website offers the ability to upload images and also has an existing PHP file that allows the site to parse out the EXIF data,” Sigler explained. “In that situation, it would be a matter of uploading the malicious image and triggering the hidden PHP code in the EXIF by using the existing PHP file that the website uses to read that EXIF data. It’s simply a matter of finding a website with one that allows the attacker to point it at their malicious uploaded data.”
He said that the EXIF-reading PHP function is extremely common in multiple pre-packaged website tools and website plugins, so it’s not that difficult of an attack to pull off if one understands how PHP works.
“I would say you would need moderate expertise,” Sigler said. “You don’t have to have coding experience or use any special tools, you just need to understand PHP. And make use of a free online tool to manipulate the EXIF data. There are a lot of them out there.”
He added that while the technique is not new (and steganography in general is certainly not as unusual as it once was) it is, however, rare. The last known instance of similar technique was seen in the wild in 2013, Sigler explained (Sucuri found a similar campaign that same year).
The attack has become more refined, as well. In that previous case, the entire webshell backdoor was hidden in the header. Fast-forward five years, and the approach has been modified to use a staging method. The malware in the JPEG image is just a first-stage dropper – once executed, it then downloads the full webshell from an external host.
“Technically the first stage is not really malware itself, it’s just downloading something,” Sigler said. “That makes the file smaller and easier to manipulate, so it’s less of a red flag for defenses. If you have a JPEG image that’s 100K in size – well that’s probably just a JPEG. But if it’s 25 megs – you may want to look at that a little closer.”
He added that Trustwave has seen this technique used in targeted campaigns, largely against e-commerce sites in Latin America.
“Websites tend to be riddled with holes anyway – if you use a common CMS package like Joomla! or WordPress and you don’t keep it up to date, there are easier ways in,” Sigler said, noting that Trustwave has yet to do a code audit on such websites that finds no vulnerabilities. “However, if you do have everything patched and there’s no low-hanging fruit for the attacker in terms of compromising a site, this is a little more advanced of a technique that can get you in.”
The effort, he added, is worth it to adversaries going after lucrative e-commerce sites, since the market for data taken from online transactions, a.k.a. card-not-present data, is booming.
“We have seen a big spike in card-not-present data showing up for sale,” he said. “Much more of that than data skimmed at brick-and-mortar stores. This campaign confirms a lot of things, including the fact that e-commerce sites still an extremely juicy target, which makes sense because that’s where the market is right now.”
To protect themselves, website owners can first and foremost scan for PHP tags in image files; if present, the images should be examined. Disabling image uploads if they’re not strictly necessary would also of course mitigate the threat.
“Not whitelisting those image files but looking at those for malicious code is a great step,” he said. “Also, if suddenly you have unauthorized PHP files on your website, that’s a red flag.”