Hacking group using Polyglot images to hide malvertising attacks

DEVCON-Polyglot image 2-1-2019.png

DEVCON has been following a group of malvertisers that are moving to more sophisticated attacks to hide their payloads. DEVCON’s research team has uncovered at least one group distributing malicious AD payloads via polyglot exploits. The definition of Polyglot images and Steganographic images can be easy to confuse, however there are some key differences between these two attacks. Steganographic exploits use data hidden in an image by altering pixels here and there. By altering a few pixels in the image, the human eye is unable to detect the very slight degradation in image quality. This exploit also requires some extra javascript (not in the image) to know the patterns and offsets to find the exploited pixels and reassemble them into executable javascript. 

Polyglot exploits are unique in that the file can be an image AND JavaScript at the same time! It also does not need an external script to extract the payload. How can a file be javascript and an image? Well it relies on some very clever tricks of how the computer interprets these two very different files.

Below is what the computer sees when it reads in a normal BMP file. We need to understand at a high level what this does to know how an attacker would turn this into a polyglot and exploit the browser.

Normal BMP Image Header

Normal BMP Image Header

The first two bytes (red square) are the hexadecimal representation of the characters BM for a BMP image. The next 4 bytes (8A C0 A8 00) are the size of the image file. This is followed by 4 null bytes (00 00 00 00) and the data offsets (8A 00 00 00). This gives the computer most of the information it needs to know to execute this file correctly.

Now here is a header for a Polyglot BMP image file:

sc2.png

They look about the same. It still starts with BM. Size and data offsets are all still there. The clever trick here is that attacker can control the size of the image and hexadecimal characters can be manipulated so they are interpreted by the computer as something else. The attacker here has changed the size of the image bytes so that they happen to also be the character codes for /**. This combination of characters creates a JavaScript comment. JavaScript comments are used to make the JavaScript Interpreter ignore everything in-between these characters. i.e  /* ignore me */ .

Let's look at the later part of the exploit that happens near the end of the file.

sc3.png

As expected the JavaScript Comment is terminated with */. The attacker then adds the characters = and `. What the attacker has done here is turned the file type BM into a JavaScript variable and set it to another heavily obfuscated payload. The below example explains how this would look to a JavaScript interpreter.

sc4.png

The file can now be run in the browser two different ways. 

<img src="polyglot.jpg"/> will show the user an image and ignore the JavaScript

<script src="polyglot.jpg"></script> will execute valid JavaScript and ignore the image data.

Our research team has detected this being exploited in the wild to hide malvertising payloads. We found the attack in some of the following creative images:

Exploited.png

The attack we found loads what looks looks like a normal BMP file but when loaded in the bowser as javascript it will load the BM variable into memory as shown in the following screenshot.

sc8.png

Later parts of the image file contain a decoder script that is also highly obfuscated javascript. This attack has many layers and new techniques to attempt to hide what it's true nature is and to hinder white hat reverse engineers from figuring out exactly how it works. 

sc9.png

All of the script above gets decoded down to the following very simple script. This will finally decode the data hiding in the BM variable. 

sc10.png

Below is the decoded BM data. This final decoded script is not unlike many of the other malvertising exploits we see. It brings a cloudfront URL into the browser that will redirect the victim off of the page they were visiting and into a series of other redirects until the user lands on a Spin the Wheel type game with the hope of winning a gift card.

sc11.png

Example of the final redirect:

What's interesting about this new attack vector is that it's not that new. These types of techniques have been well known to security researchers and pen-testers to execute shell code and deploy server side attacks. JS/GIF polyglots are a known way to work around a server's Content Security Policy to execute XSS attacks. Similar attack vectors have even been documented in POC||GTFO. This may indicate that more advanced groups are now moving into the ad fraud space to exploit users.

References:

https://warroom.rsmus.com/bmp-x86-polyglot/

https://en.wikipedia.org/wiki/Gifar

http://stegosploit.info/

https://www.robertxiao.ca/hacking/defcon2018-assembly-polyglot/

https://hackaday.com/2015/11/06/stegosploit-owned-by-a-jpg/

https://ajinabraham.com/blog/bypassing-content-security-policy-with-a-jsgif-polyglot

https://portswigger.net/blog/bypassing-csp-using-polyglot-jpegs

https://www.alchemistowl.org/pocorgtfo/pocorgtfo08.pdf

Posted: 2019-02-24
by: Josh Summitt - CTO