Beware of the attackers who are hiding PHP scripts in EXIF headers of JPEG image to hack websites

Hack

Cybercrime is increasing at an alarming rate. Attackers are using different methods to hack websites and systems which are causing issues for the users. Recently an unexpected and unusual steganographic technique is being used by the hackers. They implant a malicious web shell on unsuspecting websites that have been detected in Latin America. Trustwave has shared an exclusive report with Threatpost in which a forensic investigation has revealed many facts. According to the report, the attackers are implanting PHP codes into JPEG files EXIF headers. They are uploading malware through this process on unsuspected websites.

To detect the same, hiding malware in an image file is a great way to circumvent it. This method will help in protecting websites from attackers.

About PHP:

PHP enables us to read out and interpret EXIF data. According to Karl Sigler, a security research manager at Trustwave SpiderLabs, if you target a website that allows uploading images and is using PHP scripts, you can essentially upload the malware of your choice.

He also explains how uploading a malicious image can target the hidden PHP code in the EXIF by utilizing the existing PHP file that is being used by the website to read the EXIF data.

After describing the effects of malicious uploading, he insists users use moderate expertise. All you need to do is understand PHP as it is not essential; for users to have expert knowledge in coding.

This can also be avoided by the use of a free online tool that manipulates the EXIF file. Sigler insists website owners to scan PHP tags in image files. In case malware is present, the images must be examined efficiently. In case the threat is to be mitigated, the owners can disable image upload.

Also, Trustwave is taking the initiative to safeguard the system from attackers.

References:

https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hiding-webshell-backdoor-code-in-image-files/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hiding-php-code-in-image-files-revisited/