Hackers Hide Malware In Images From Trusted Website

A new report from HP Wolf Security highlights alarming advancements in malware delivery tactics, including the embedding of malicious code within seemingly innocuous images hosted on legitimate platforms.

One of the standout findings involves malware campaigns that embedded harmful code into image files. These images were uploaded to archive.org, a trusted file-sharing website, to avoid suspicion. By doing this, hackers were able to sneak past common security measures, like network filters, that often rely on a website’s reputation.

Two types of malware were spread using this tactic: VIP Keylogger and 0bj3ctivityStealer. Both are designed to steal sensitive information such as passwords and credit card details.

Hackers sent emails posing as invoices or purchase orders to trick businesses into downloading malicious attachments. These attachments contained files that, when opened, triggered a chain reaction.

The process included downloading a seemingly harmless image file from archive.org. Hidden within the image was encoded malware, which would then install itself onto the victim’s computer.

One image linked to this campaign was viewed nearly 29,000 times, hinting at the large scale of the attack.

Once the image is downloaded, a piece of code extracts and decodes the malware hidden inside it. The malware then runs on the victim’s device, recording keystrokes, stealing passwords, and even taking screenshots. To make the attack persistent, the malware modifies the computer’s registry, ensuring it starts up every time the computer is turned on.

The report says that this method of hiding malicious code in images is particularly effective because it exploits legitimate platforms, making it harder for traditional security tools to detect.

The researchers add that these incidents highlight the efficiency of reusing malware kits and components, as both campaigns employed the same .NET loader to install their respective payloads. This modular approach not only streamlined the development process for threat actors but also allowed them to focus on refining techniques to avoid detection.

The embedding of malicious code in images is not a novel tactic but represents a resurgence in its popularity due to advancements in obfuscation and delivery methods. The report emphasizes the need for enhanced endpoint protection and employee awareness training to counter such sophisticated threats.

As cybercriminals continue to innovate, leveraging legitimate tools and platforms, the report serves as a stark reminder of the evolving cyber threat landscape. Security teams must remain vigilant, adopt proactive measures, and stay informed to mitigate risks posed by these emerging threats.