ImageGate attack – How to spread malware via poisoned .JPG

Security experts from Checkpoint have discovered a new malware-based campaign through Facebook. Crooks leverage an image obfuscation trick, dubbed ImageGate, to spread the Locky ransomware via Facebook. Experts highlighted that the image obfuscation trick is able to bypass Facebook’s security checks.

“Check Point researchers identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these images through social media applications such as Facebook and LinkedIn.” reads a blog post published by Checkpoint security.

Checkpoint hasn’t disclosed the details of the technique because it could still have a serious impact on popular web services, including Facebook and LinkedIn.

The technique is not considered insidious for tech-savvy users, anyway, it represents a serious threat for users that could be tricked into downloading and running unknown executables.

Researchers Roman Ziakin and Dikla Barda from Checkpoint published a video PoC to show how to exploit the issue by sending a .jpg image file through Facebook Messenger.

The attack requests user interaction, the victim must click the attachment, in response the target system generates a Windows save file prompt asking the victim for the save directory to which the.hta file will be downloaded. The victim is infected with the Locky ransomware by double-clicking the saved file.

Waiting for the improvement of Facebook controls, users are advised to stay vigilant and avoid opening unsolicited messages.

Check Point recommends the following preventive measures:

1. If you have clicked on an image and your browser starts downloading a file, do not open it. Any social media website should display the picture without downloading any file.
2. Don’t open any image file with unusual extension (such as SVG, JS or HTA).