The attack can also be taken further. Meni Farjon, co-founder and CTO at Israel-based Solebit, told Threatpost that another unique and evasive way that attackers are using malicious code inside images uploaded to GoogleUserContent is by serving them as part of Office Documents. These remote images are loaded automatically once a user opens up a Word document.

“Those images hide malicious JavaScript code, which can then execute the code as part of exploitation such as CVE-2017-0199,” Farjon explained. The images look normal, but a closer look reveals malicious code; in one sample, it was aimed at downloading an additional two-stage malware from a remote C&C server and then executing it.

“In order to detect these kind of attacks, Google needs to adopt better anti-malware techniques, specifically in the area of content analysis and, so that they would be able to prevent those type of files being uploaded to googleusercontent.com and better protect the users which can be victimized by this,” Farjon told us.

Read entire article here