Researchers with Sucuri have uncovered a new method being used by attackers to infect users via malicious iframes that have taken an extra step to mask their payloads.
“In today’s attacks, especially when we’re talking about drive-by-downloads, leveraging the iFrame tag is often the preferred method,” blogged researcher Peter Gramantik. “It’s simple and easy, and with a few attribute modifications, the attacker is able to embed code from another site, often compromised, and load something via the client’s browser without them knowing (i.e., silently).”
But recently, Sucuri found an example of attackers doing something different.
“The uniqueness is not in the use of an iFrame tag to embed the content, but rather in how it distributes the malware,” he explained. “You see, the attacker obfuscated the payload inside a PNG file.”
The iFrame loaded what appeared to be a valid file that was totally benign, jquery.js.
“At first…we were stumped,” he blogged. “I mean the code is good, no major issues, right? Then we noticed this little function, loadFile(). The function itself wasn’t curious, but the fact that it was loading a PNG was – var strFile = ‘./dron.png. You’d be surprised how long of staring it takes to notice something like that. I know hindsight is a real kicker.”
After opening the file, the researchers noticed a decoding loop.
“It’s taking the normal behavior of an iFrame injection, embedding it within the meta of the PNG file and just like that we have a new distribution mechanism,” Gramantik wrote.
“Do make note however that while in this specific case we’re talking about PNG, the concepts do and can apply to other image file types as well,” he added. “This only puts more emphasis on the importance of being aware of the state of your web server, understanding what files are and aren’t being added and modified and ensuring that vulnerabilities are not being exploited.”