ImageGate attack – How to spread malware via poisoned .JPG

Security experts from Checkpoint have discovered a new malware-based campaign through Facebook leveraging an image obfuscation trick dubbed ImageGate.

Security experts from Checkpoint have discovered a new malware-based campaign through Facebook. Crooks leverage an image obfuscation trick, dubbed ImageGate, to spread the Locky ransomware via Facebook. Experts highlighted that the image obfuscation trick is able to bypass Facebook’s security checks.

“Check Point researchers identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these images through social media applications such as Facebook and LinkedIn.” reads a blog post published by Checkpoint security.

Checkpoint hasn’t disclosed the details of the technique because it could still have a serious impact on popular web services, including Facebook and LinkedIn.

According to the researchers, the attackers have devised a method to embed malicious code into an image file and successfully upload it to the social media platform bypassing security controls. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.

“The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.” continues the analysis of the ImageGate.

The technique is not considered insidious for tech-savvy users, anyway, it represents a serious threat for users that could be tricked into downloading and running unknown executables.

Researchers Roman Ziakin and Dikla Barda from Checkpoint published a video PoC to show how to exploit the issue by sending a .jpg image file through Facebook Messenger.

The attack requests user interaction, the victim must click the attachment, in response the target system generates a Windows save file prompt asking the victim for the save directory to which the.hta file will be downloaded. The victim is infected with the Locky ransomware by double-clicking the saved file.

Waiting for the improvement of Facebook controls, users are advised to stay vigilant and avoid opening unsolicited messages.

Check Point recommends the following preventive measures:

If you have clicked on an image and your browser starts downloading a file, do not open it. Any social media website should display the picture without downloading any file.
Don’t open any image file with unusual extension (such as SVG, JS or HTA).

A few days ago, researchers announced the discovery of a new hacking campaign leveraging on Facebook Messenger to spread the Locky ransomware via SVG images.

The Locky Ransomware is spread via a downloader, experts noticed that it is able to bypass Facebook defense measures by pretending to be a harmless image file.

The campaign was first spotted during the weekend by the malware expert Bart Blaze and by the researchers Peter Kruse.

“Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter:” wrote Bart Blaze in a blog post.

When the victim accesses the malicious SVG file it will be directed to a website that appears to be YouTube in design only, but once the page is loaded, the victim is asked to install a codec in order to play the video that is shown on the page.

“A website purporting to be Youtube, wih a video from Facebook – of course, you needed to install an additional extension to view it :)” continues Bart Blaze.

If the victim installs the Chrome extension as requested on the page, the attack is this spread further via Facebook Messenger. The experts observed that sometimes the malicious Chrome extension installs the Nemucod downloader, which launches the Locky ransomware attack.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Locky Ransomware, ImageGate)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.