Revealing MageCart-like Threats in Favicons via Artificial Intelligence

Abstract

Modern malware increasingly takes advantage of information hiding to avoid detection, spread infections, and obfuscate code. A major offensive strategy exploits steganography to conceal scripts or URLs, which can be used to steal credentials or retrieve additional payloads. A recent example is the attack campaign against the Magento e-commerce platform, where a web skimmer has been cloaked in favicons to steal payment information of users. In this paper, we propose an approach based on deep learning for detecting threats using least significant bit steganography to conceal malicious PHP scripts and URLs in favicons. Experimental results, conducted on a realistic dataset with both legitimate and compromised images, demonstrated the effectiveness of our solution. Specifically, our model detects ~100% of the compromised favicons when examples of various malicious payloads are provided in the learning phase. Instead, it achieves an overall accuracy of ~90% when in the presence of new payloads or alternative encoding schemes.