Recent discoveries in malicious links coming from Brazil have showed hidden block cipher code imbedded in images.  The discovery is assumed to be the first of its kind coming from the Latin American region. The art of hiding information in images is nothing new and in fact has been practiced for hundreds, if not thousands of years. The difference is that when our ancestors would hide secret encrypted codes in images, it was intended for a particular person or party.  These days, it is more common to use the secret code hidden within images for malicious intent.  For example, if I were to ask you to identify the image below, you would tell me that it’s the famous Mona Lisa painting by Leonardo Da Vinci. Then, I would proceed by asking if you knew that the original 500 year old painting contained hidden letters in each of her eyes which are only visible under a microscope. Chances are your response would be, “no”.

This Latin American attack used .bmp image file types to hide the malicious code content instead of artwork or a random picture.  This era’s way of hiding code in an image can make it very dangerous for whoever downloads the image by having them install malicious programs without their knowledge. This is because we don’t hide the code or message in the actual image, but rather within a layer inside the computer code that makes the image. The way the malware installs is by using several files, with the first one being the image with the hidden encrypted code.  Afterward, an .exe file that is also encrypted and contains the instructions for installing the malware on the infected host is run, allowing a total of 8 encrypted files to pass right by the anti-virus safe guards.

The malware has been named “Trojan-Banker.Win32.Delf.vh”, which originated from Brazilian hosted sites.  It looks like the authors of this malware are publishing new malware and on new hosted sites that would make it hard to pin point. However, the encryption algorithm has remained the same, enabling antivirus software to easily identify it.  The person credited with discovering this sneaky attack is Dmitry Bestuzhev with Kaspersky Lab Antivirus.

Images released by Dmitry of the block cipher encrypted bmp image.




And here is the decryption of the code.





Now this is what the script would look like.







This is an amazing find and shows how dangerous a picture can potentially be.  The saying “a picture is worth a thousand words” is very true and yet, it takes on a new meaning in this era.  One topic I will touch on in the future is in regards to images listed on Google when searching by images. There are so many images that are the same image resolution, but differ in size by only a few bytes. This makes me wonder how many images might be infected or have hidden messages.



Tags: ,