Experts at Trustwave observed threat actors using a rare technique to compromise fully patched websites.

Security experts at Trustwave observed threat actors using a rare steganography technique, attackers are hiding PHP scripts in Exchangeable Image Format (EXIF) headers of JPEG images that are uploaded on the website.

The Exchangeable image file format is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.

According to ThreatPost that first reported the news, attackers could exploit the steganographic technique to deploy a malicious webshell on target websites. The technique was first observed in attacks against e-commerce sites in Latin America, threat actors used it to implant PHP code into EXIF headers of JPEG files.

Karl Sigler, a security research manager at Trustwave SpiderLabs, confirmed that the attack works also works on fully patched websites. He explained that attackers leverage PHP function to parse EXIF data of images. The good news for attackers is that the function that allows parsing the EXIF- headers is usually pre-installed in several website tools and plugins.

The attacker only needs to upload a specially crafted image on the target site and trigger the hidden code in the EXIF headers.

“It’s likely that a website offers the ability to upload images and also has an existing PHP file that allows the site to parse out the EXIF data,” Sigler explained. “In that situation, it would be a matter of uploading the malicious image and triggering the hidden PHP code in the EXIF by using the existing PHP file that the website uses to read that EXIF data. It’s simply a matter of finding a website with one that allows the attacker to point it at their malicious uploaded data.”

This steganography technique is rare, according to the expert it was observed the last time in the wild in 2013 when hackers have hidden the entire webshell backdoor in the header. In the recent attacks, attackers only hid a dropper in the JPEG image reducing the size of the malicious code that was injected in the EXIF header.

“However, if you do have everything patched and there’s no low-hanging fruit for the attacker in terms of compromising a site, this is a little more advanced of a technique that can get you in.” S igler added.

Experts suggest to scan for PHP tags in image files and disabling image uploads if they are not necessary.

Pierluigi Paganini

(SecurityAffairs – steganography technique, GDPR)

Share this...

Linkedin Reddit Pinterest

Share On