The malvertising space may be seeing an influx of more advanced threat actors according one research report that found polyglot images now being used to disguise malvertising attacks.
Polyglot images, which differ from their near cousins steganographic images primarily by not needing an external script to extract the payload, have been spotted in the wild, said researchers at Devcon. The researchers noted that using polyglot images is not a new method of attack. Similar JS/GIF polyglots have been shown in proof of concept tests to work around a server's Content Security Policy to execute XSS attacks.
“This may indicate that more advanced groups are now moving into the ad fraud space to exploit users,” the report said.
The incidents spotted by Devcon saw the malicious actors using .bmp images as their camouflage and trick a system into accepting the image by manipulating the size of the image and hexadecimal characters by making the computer believe it is looking at something benign.
“The attacker here has changed the size of the image bytes so that they happen to also be the character codes for /**. This combination of characters creates a JavaScript comment. JavaScript comments are used to make the JavaScript Interpreter ignore everything in-between these characters. i.e /* ignore me */ ,” the report said.
After the “ignore me” code the attacker adds the characters = and ` effectively turning the .bmp file into a JavaScript variable. This allows the file to be run in the browser two different ways as an <img src="polyglot.jpg"/> will show the user an image and ignore the JavaScript and <script src="polyglot.jpg"></script> will execute valid JavaScript and ignore the image data. Also included in the JavaScript is a highly obfuscated decoder script that launches cloudfront URL into the browser that will redirect the victim off of the page. Once away from their destination a series of other redirects will take place until the user lands on a spin the wheel-type game with the hope of winning a gift card.
“This attack has many layers and new techniques to attempt to hide what it's true nature is and to hinder white hat reverse engineers from figuring out exactly how it works,” Devcon said.