Malicious Image

Malicious Image [T1204.003]

Information

Name: Malicious Image
ID: T1204.003
Tactics: TA0002
Technique: T1204

Introduction

Malicious Image (T1204.003) is a sub-technique within the MITRE ATT&CK framework under the broader category of User Execution (T1204). This technique involves embedding malicious code or payloads within image files to deceive users or systems into executing harmful content. Attackers leverage image files due to their perceived innocuous nature, increasing the likelihood of bypassing traditional security defenses. Malicious images can be delivered via email attachments, web downloads, or messaging applications, exploiting user trust and curiosity to initiate unauthorized actions or compromise systems.

Deep Dive Into Technique

This sub-technique primarily involves hiding executable payloads or scripts within seemingly benign image files. Attackers typically rely on the following technical methods and mechanisms:

Steganography: Embedding malicious payloads within digital images using steganographic techniques to conceal executable code or scripts.
- Payloads can be hidden within image metadata, pixel data, or appended to the end of legitimate image files.
- Common image formats used include PNG, JPG, GIF, and BMP.
Polyglot Files: Creating files that are valid both as images and executables or scripts.
- Attackers manipulate file headers and structure to ensure the malicious file can be opened as an image but executed as code when triggered by specific methods.
Exploitation of Image Processing Libraries: Targeting vulnerabilities within image rendering libraries or software to execute malicious payloads upon image viewing or parsing.
- Commonly exploited libraries include those used in web browsers, email clients, PDF readers, and image viewers.
Social Engineering: Leveraging user trust and curiosity to encourage opening or downloading malicious images.
- Attackers craft convincing phishing emails, instant messages, or social media posts containing malicious images.
Execution Methods:
- Direct execution via exploitation of vulnerable software.
- Extraction and execution of payloads using scripts or macros embedded in documents or web pages referencing malicious images.
- Automated execution triggered by vulnerable image-processing software.

When this Technique is Usually Used

Attackers typically employ malicious images during various stages of cyber-attacks, including:

Initial Access:
- Delivering malicious images via phishing emails or compromised websites to gain initial foothold.
- Social engineering campaigns targeting specific individuals or organizations.
Execution Stage:
- Exploiting image-processing vulnerabilities to execute payloads on targeted systems automatically.
- Triggering payload execution through user interaction with crafted images.
Persistence and Command & Control (C2):
- Embedding payloads or configuration data within images to evade detection and maintain long-term access.
- Using steganographic techniques to hide C2 communication within seemingly benign image transfers.
Data Exfiltration:
- Concealing stolen information within images to bypass data loss prevention (DLP) solutions and network monitoring tools.

How this Technique is Usually Detected

Detection of malicious images involves multiple layers of defense, including:

File Analysis and Integrity Checks:
- Monitoring for unusual image file sizes, structures, or anomalies in image metadata.
- Implementing hash comparisons against known malicious images or polyglot files.
Behavioral Analysis and Sandboxing:
- Executing suspicious images in sandbox environments to detect anomalous behaviors or exploitation attempts.
- Monitoring image-processing software behavior for unexpected execution patterns or memory corruption attempts.
Network Traffic Analysis:
- Identifying unusual or encrypted communication patterns associated with image file transfers.
- Detecting steganographic C2 channels hidden within image file transfers.
Endpoint Detection and Response (EDR):
- Analyzing endpoint logs and process behaviors related to image rendering or opening applications.
- Monitoring for unusual process executions or memory injections triggered by image files.
Indicators of Compromise (IoCs):
- Suspicious image files with abnormal headers, metadata, or appended data.
- Known malicious image hashes or signatures.
- Unusual outbound network traffic correlated with image file access or processing.
- Specific software vulnerabilities exploited by malicious images (e.g., CVE identifiers related to image-processing libraries).

Why it is Important to Detect This Technique

Early detection and prevention of malicious images is critical due to the following potential impacts:

Initial Compromise and Unauthorized Access:
- Successful exploitation can result in unauthorized access, initial foothold, and subsequent lateral movement within a network.
Stealth and Detection Evasion:
- Malicious images often evade traditional antivirus and signature-based detection methods due to their benign appearance and advanced concealment techniques.
Data Exfiltration Risks:
- Attackers can exfiltrate sensitive information discreetly through images, bypassing traditional DLP and network monitoring solutions.
Persistence and Long-Term Threats:
- Malicious images can facilitate persistent backdoors and hidden communication channels, enabling long-term attacker presence within compromised environments.
Reputation and Financial Damage:
- Organizations compromised through malicious images may suffer significant reputational harm, financial losses, and regulatory penalties due to data breaches or unauthorized disclosures.

Detecting this technique proactively helps organizations mitigate these risks, reduce attack surface, and maintain robust cybersecurity posture.

Examples

Real-world examples demonstrating the use of malicious images include:

LokiBot Malware Campaign:
- Attackers utilized steganography to hide malicious payloads within PNG image files.
- Victims received phishing emails containing malicious documents referencing these images.
- Upon opening, embedded macros extracted and executed the payload hidden within images, resulting in credential theft and system compromise.
OceanLotus (APT32) Attacks:
- Advanced Persistent Threat (APT) group OceanLotus leveraged steganographic techniques to hide payloads within benign-looking images.
- Images delivered via spear-phishing emails targeted Southeast Asian organizations, exploiting vulnerabilities in image-processing software to achieve initial access.
Magecart Payment Card Skimming:
- Attackers embedded malicious JavaScript code within image metadata on compromised e-commerce websites.
- When visitors loaded the compromised images, scripts extracted from metadata executed, harvesting sensitive payment card information.
Stegano Exploit Kit:
- Exploit kit used malicious advertisements containing PNG images with hidden JavaScript payloads.
- Victims visiting compromised websites unknowingly executed hidden scripts, resulting in malware infections and unauthorized access.

These examples highlight the diversity and effectiveness of malicious image attacks across different industries, attack vectors, and threat actor types.

Last updated 10 days ago

Was this helpful?

Introduction

Deep Dive Into Technique

This sub-technique primarily involves hiding executable payloads or scripts within seemingly benign image files. Attackers typically rely on the following technical methods and mechanisms:

Steganography: Embedding malicious payloads within digital images using steganographic techniques to conceal executable code or scripts.

Payloads can be hidden within image metadata, pixel data, or appended to the end of legitimate image files.
Common image formats used include PNG, JPG, GIF, and BMP.

Polyglot Files: Creating files that are valid both as images and executables or scripts.

Attackers manipulate file headers and structure to ensure the malicious file can be opened as an image but executed as code when triggered by specific methods.

Exploitation of Image Processing Libraries: Targeting vulnerabilities within image rendering libraries or software to execute malicious payloads upon image viewing or parsing.

Commonly exploited libraries include those used in web browsers, email clients, PDF readers, and image viewers.

Social Engineering: Leveraging user trust and curiosity to encourage opening or downloading malicious images.

Attackers craft convincing phishing emails, instant messages, or social media posts containing malicious images.

Execution Methods:

Direct execution via exploitation of vulnerable software.
Extraction and execution of payloads using scripts or macros embedded in documents or web pages referencing malicious images.
Automated execution triggered by vulnerable image-processing software.

When this Technique is Usually Used

Attackers typically employ malicious images during various stages of cyber-attacks, including:

Initial Access:

Delivering malicious images via phishing emails or compromised websites to gain initial foothold.
Social engineering campaigns targeting specific individuals or organizations.

Execution Stage:

Exploiting image-processing vulnerabilities to execute payloads on targeted systems automatically.
Triggering payload execution through user interaction with crafted images.

Persistence and Command & Control (C2):

Embedding payloads or configuration data within images to evade detection and maintain long-term access.
Using steganographic techniques to hide C2 communication within seemingly benign image transfers.

Data Exfiltration:

Concealing stolen information within images to bypass data loss prevention (DLP) solutions and network monitoring tools.

How this Technique is Usually Detected

Detection of malicious images involves multiple layers of defense, including:

File Analysis and Integrity Checks:

Monitoring for unusual image file sizes, structures, or anomalies in image metadata.
Implementing hash comparisons against known malicious images or polyglot files.

Behavioral Analysis and Sandboxing:

Executing suspicious images in sandbox environments to detect anomalous behaviors or exploitation attempts.
Monitoring image-processing software behavior for unexpected execution patterns or memory corruption attempts.

Network Traffic Analysis:

Identifying unusual or encrypted communication patterns associated with image file transfers.
Detecting steganographic C2 channels hidden within image file transfers.

Endpoint Detection and Response (EDR):

Analyzing endpoint logs and process behaviors related to image rendering or opening applications.
Monitoring for unusual process executions or memory injections triggered by image files.

Indicators of Compromise (IoCs):

Suspicious image files with abnormal headers, metadata, or appended data.
Known malicious image hashes or signatures.
Unusual outbound network traffic correlated with image file access or processing.
Specific software vulnerabilities exploited by malicious images (e.g., CVE identifiers related to image-processing libraries).

Why it is Important to Detect This Technique

Early detection and prevention of malicious images is critical due to the following potential impacts:

Initial Compromise and Unauthorized Access:

Successful exploitation can result in unauthorized access, initial foothold, and subsequent lateral movement within a network.

Stealth and Detection Evasion:

Malicious images often evade traditional antivirus and signature-based detection methods due to their benign appearance and advanced concealment techniques.

Data Exfiltration Risks:

Attackers can exfiltrate sensitive information discreetly through images, bypassing traditional DLP and network monitoring solutions.

Persistence and Long-Term Threats:

Malicious images can facilitate persistent backdoors and hidden communication channels, enabling long-term attacker presence within compromised environments.

Reputation and Financial Damage:

Organizations compromised through malicious images may suffer significant reputational harm, financial losses, and regulatory penalties due to data breaches or unauthorized disclosures.

Detecting this technique proactively helps organizations mitigate these risks, reduce attack surface, and maintain robust cybersecurity posture.

Examples

Real-world examples demonstrating the use of malicious images include:

LokiBot Malware Campaign:

Attackers utilized steganography to hide malicious payloads within PNG image files.
Victims received phishing emails containing malicious documents referencing these images.
Upon opening, embedded macros extracted and executed the payload hidden within images, resulting in credential theft and system compromise.

OceanLotus (APT32) Attacks:

Advanced Persistent Threat (APT) group OceanLotus leveraged steganographic techniques to hide payloads within benign-looking images.
Images delivered via spear-phishing emails targeted Southeast Asian organizations, exploiting vulnerabilities in image-processing software to achieve initial access.

Magecart Payment Card Skimming:

Attackers embedded malicious JavaScript code within image metadata on compromised e-commerce websites.
When visitors loaded the compromised images, scripts extracted from metadata executed, harvesting sensitive payment card information.

Stegano Exploit Kit:

Exploit kit used malicious advertisements containing PNG images with hidden JavaScript payloads.
Victims visiting compromised websites unknowingly executed hidden scripts, resulting in malware infections and unauthorized access.

These examples highlight the diversity and effectiveness of malicious image attacks across different industries, attack vectors, and threat actor types.