Cybercriminals are putting a new spin on the old trick of hiding malware code in Exchangeable Image File Format (EXIF) data. Recently, attackers were observed using this technique in image files, rather than text files, and uploading them to googleusercontent.com servers.
In a July 18 company blog post, Sucuri senior malware researcher Denis Sinegubko detailed one such case in which EXIF code from a Pacman .jpg image was used to mask a malicious script that steals PayPal security tokens, uploads web shells and arbitrary files, inserts defacement pages and communicates addresses of exploited websites back to the attacker.
This image was uploaded – likely via a Blogger or Google+ account – onto Google servers, so that it would be readily available for downloading from compromised websites, Sinegubko states.