The Daily Swig: Malvertising fiends using polyglot exploits in real-world attacks

Malvertising fiends using polyglot exploits in real-world attacks

John Leyden | 27 February 2019 at 16:00 UTC

Image/script duality trickery

Image/script duality trickery

Cybercriminals have started using so-called ‘polyglot images’ to disguise malvertising attacks.

Polyglot exploits center around malicious payload files that can be interpreted as either an image or a piece of JavaScript.

The tactic – spotted in the wild by researchers at ad fraud prevention firm Devcon – has been adopted by a group hoping to pass off malicious JavaScript as artwork.

The approach is apparently motivated by an attempt to foil the scanning of JavaScript files for malicious content by ad networks.

Black hats have manipulated file headers so that a payload file can be interpreted as either a BMP image or JavaScript, Devcon researchers said.

The latest versions of popular browsers such as Chrome and Firefox enforce content type, so this kind of trickery will fail in many cases.

Surfers still using Internet Explorer, however, are still at risk of attack from polyglot-based exploits, which offer crooks advantages over what might be possible using standard steganographic attacks.

In this scenario, additional JavaScript outside the image that knows the patterns and offsets in order to unpack malicious code would be needed. No malicious external script is necessary to extract the payload associated with polyglot exploits. Read More >>