Hacking group using Polyglot images to hide malvertising attacks
Below is what the computer sees when it reads in a normal BMP file. We need to understand at a high level what this does to know how an attacker would turn this into a polyglot and exploit the browser.
The first two bytes (red square) are the hexadecimal representation of the characters BM for a BMP image. The next 4 bytes (8A C0 A8 00) are the size of the image file. This is followed by 4 null bytes (00 00 00 00) and the data offsets (8A 00 00 00). This gives the computer most of the information it needs to know to execute this file correctly.
Now here is a header for a Polyglot BMP image file:
Let's look at the later part of the exploit that happens near the end of the file.
The file can now be run in the browser two different ways.
Our research team has detected this being exploited in the wild to hide malvertising payloads. We found the attack in some of the following creative images:
All of the script above gets decoded down to the following very simple script. This will finally decode the data hiding in the BM variable.
Below is the decoded BM data. This final decoded script is not unlike many of the other malvertising exploits we see. It brings a cloudfront URL into the browser that will redirect the victim off of the page they were visiting and into a series of other redirects until the user lands on a Spin the Wheel type game with the hope of winning a gift card.
Example of the final redirect:
What's interesting about this new attack vector is that it's not that new. These types of techniques have been well known to security researchers and pen-testers to execute shell code and deploy server side attacks. JS/GIF polyglots are a known way to work around a server's Content Security Policy to execute XSS attacks. Similar attack vectors have even been documented in POC||GTFO. This may indicate that more advanced groups are now moving into the ad fraud space to exploit users.
by: Josh Summitt - CTO