Polyglot Images Used in Malvertising Campaign

Delaware, USA – February 27, 2019 – An unknown group of cybercriminals uses Polyglot images to redirect users to malicious websites. Devcon researchers have discovered a new malvertising campaign using a sophisticated technique similar to steganography. Unlike the latter, Polyglot images contain not only the payload but also a script for its execution. Cybercriminals behind the campaign use a trick that forces the system to execute a BMP file as JavaScript, modifying the hexadecimal representation of the image. Thus, a seemingly innocent advertisement causes the computer to deobfuscate the code and execute the payload, ignoring the rest of the file.

In this campaign, JavaScript redirects attacked user to a phishing site, but this attack type allows conducting fileless attacks and dropping malware to an attacked system. Often, the malvertising campaigns redirect victims to Exploit Kit landing pages, infecting vulnerable users with ransomware and trojans, but leveraging Polyglot images covers a much broader range of targets and poses a serious threat to organizations. You can detect the traces of fileless attacks and attacks without signatures using the Sysmon Framework rule pack, which visualize multiple security checks on Sysmon’s events on Windows hosts: https://my.socprime.com/en/integrations/sysmon-framework-arcsight