Steganography Hack Can Compromise Websites
A steganographic technique that a hacker can use to implant a malicious webshell on unsuspecting websites has been discovered in Latin America. According to research from Trustwave, a forensic investigation showed that a hacker is implanting PHP code into JPEG files' EXIF headers in order to upload malware onto targeted websites. Hiding malware in an image file is a well known way to bypass detection since many filters and gateways let image file formats pass without too much security. But the unique benefit of this technique is that it can be used to compromise even a fully patched, up-to-date website with no obvious vulnerabilities just by uploading an image to a website.
PHP provides a nice function that allows you to read out and parse EXIF data, so if a hacker targets a website that allows anyone to upload images and also uses PHP scripts, they can essentially upload any malware they want. Web-based firewalls and malware scanners tend to whitelist image files.
EXIF, or Exchangeable Image Format, is a standard that specifies the characteristics of images, sound and ancillary tags used by digital cameras, scanners and other devices. PHP has a built-in function for extracting that image EXIF metadata and reading it. It's likely that a website offers the ability to upload images and also has an existing PHP file that allows the site to parse out the EXIF data. With that in mind, it would just be a matter of uploading the malicious image and triggering the hidden PHP code in the EXIF by using the existing PHP file that the website uses to read that EXIF data. It's just a matter of finding a website with one that allows the hacker to point it at their malicious uploaded data. EXIF reading PHP function is a common feature in multiple pre-packaged website tools and website plugins, so it's not that difficult to do if one understands how PHP works.
while steganography isn't new, it is rare. The last time it was seen was in 2013. In that previous case, the entire webshell backdoor was hidden in the header. in this case, it has been modified to use a staging method. The malware in the JPEG image is just the first-stage. Once executed, it then downloads the full webshell from an external host. That makes the file smaller and easier to manipulate, so it's less of a red flag for defenses.
Websites are full of holes. If you use a common CMS package like Joomla! or WordPress and you don't keep it up to date, there are easier ways in. However, if you do have everything patched, this is a way for hackers to gain entry. It is worth the effort for hackers to target e-commerce sites since the market for online data transaction data is booming. To protect websites against stenography attacks, admins should scan for PHP tags in image files. If present, the images should be scrutinized.