A new malware operation has been discovered, utilizing JPEG image files to stealthily deliver multiple strains of password-stealing malware. Security researchers from SEQRITE revealed that the attack leverages steganography, a technique for hiding malicious payloads within seemingly harmless image files. This approach allows cybercriminals to bypass traditional detection methods and distribute malware without detection. When unsuspecting users download or open the compromised JPEG file, their systems become infected with embedded malicious scripts.
The malware embedded within the JPEG files specifically targets browsers, email clients, and FTP applications. It focuses on stealing sensitive user credentials by extracting login information from application databases.
SEQRITE analysts explained that the core of the attack lies in its complex delivery mechanism, where malicious data is hidden within pixel data fields rather than in the image’s header or metadata. This makes the attack difficult to detect with standard image-processing tools.
Once the victim’s device processes the image, the payloads are extracted and executed through automated processes, initiating a chain of events that downloads further malicious tools.
These tools include password stealers like Vidar, Raccoon, and Redline, which specialize in collecting login credentials and transmitting the stolen data to command-and-control (C2) servers. The attackers employ Python and C++ executables to decode the hidden malicious scripts from pixel clusters and reconstruct executable payloads.
The use of steganography in this attack involves modifying the pixel values in JPEG files to encode the malicious data. SEQRITE security researchers demonstrated how the payload is extracted from the image using custom decoders, revealing subtle pixel-level changes. This sophisticated method makes it challenging for standard security measures to detect and prevent such attacks, highlighting the growing threat of steganographic malware.