ImageGate attack – How to spread malware via poisoned .JPG

Pierluigi Paganini November 25, 2016

Security experts from Checkpoint have discovered a new malware-based campaign through Facebook leveraging an image obfuscation trick dubbed ImageGate.

Security experts from Checkpoint have discovered a new malware-based campaign through Facebook. Crooks leverage an image obfuscation trick, dubbed ImageGate, to spread the Locky ransomware via Facebook. Experts highlighted that the image obfuscation trick is able to bypass Facebook’s security checks.

“Check Point researchers identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these images through social media applications such as Facebook and LinkedIn.” reads a blog post published by Checkpoint security.

Checkpoint hasn’t disclosed the details of the technique because it could still have a serious impact on popular web services, including Facebook and LinkedIn.

According to the researchers, the attackers have devised a method to embed malicious code into an image file and successfully upload it to the social media  platform bypassing security controls. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.

“The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.” continues the analysis of the ImageGate.

The technique is not considered insidious for tech-savvy users, anyway, it represents a serious threat for users that could be tricked into downloading and running unknown executables.

Researchers Roman Ziakin and Dikla Barda from Checkpoint published a video PoC to show how to exploit the issue by sending a .jpg image file through Facebook Messenger.

https://youtu.be/sGlrLFo43pY

The attack requests user interaction, the victim must click the attachment, in response the target system generates a Windows save file prompt asking the victim for the save directory to which the.hta file will be downloaded. The victim is infected with the Locky ransomware by double-clicking the saved file.

ImageGate checkpoint-jpeg-ransomware

 

Waiting for the improvement of Facebook controls, users are advised to stay vigilant and avoid opening unsolicited messages.

Check Point recommends the following preventive measures:

  1. If you have clicked on an image and your browser starts downloading a file, do not open it. Any social media website should display the picture without downloading any file.
  2. Don’t open any image file with unusual extension (such as SVG, JS or HTA).

 A few days ago, researchers announced the discovery of a new hacking campaign leveraging on Facebook Messenger to spread the Locky ransomware via SVG images.

The Locky Ransomware is spread via a downloader, experts noticed that it is able to bypass Facebook defense measures by pretending to be a harmless image file.

The campaign was first spotted during the weekend by the malware expert Bart Blaze and by the researchers Peter Kruse.

“Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter:” wrote Bart Blaze in a blog post.

When the victim accesses the malicious SVG file it will be directed to a website that appears to be YouTube in design only, but once the page is loaded, the victim is asked to install a codec in order to play the video that is shown on the page.

“A website purporting to be Youtube, wih a video from Facebook – of course, you needed to install an additional extension to view it :)” continues Bart Blaze.

If the victim installs the Chrome extension as requested on the page, the attack is this spread further via Facebook Messenger. The experts observed that sometimes the malicious Chrome extension installs the Nemucod downloader, which launches the Locky ransomware attack.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Locky Ransomware, ImageGate)



you might also like

leave a comment