Medium
Researchers led to the discovery of malware files being hidden within .ICO and .PNG image files. The files, hosted on booby trapped Magneto repos on GitHub, contained the Magecart malware. The code was seen in a legitimate Google Tag Manager code PNG file. Using legitimate files to hide malware allows threat actors to maintain a less suspicious presence. Inside the Google Tag Manager code is JavaScript that extracts that final bytes of the image file in which it is implanted. Once deobfuscated, researchers found the Magecart skimmer code with modifications that will prevent prying eyes from seeing the exfiltration path immediately. A specific set of code is responsible for computing the URL of the gateway. The malware attempts to load PNG files from a GitHub repository, and at that repository, researchers found several folders and files which revealed more corrupted .png and .ico files. The exfiltration URL is found within the code contained in the image file and decrypted using the aforementioned JavaScript code.