this post was submitted on 31 May 2025
10 points (100.0% liked)

Pulse of Truth

1146 readers
36 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago
MODERATORS
krogoth
10
A PNG Image With an Embedded Gift, (Sat, May 31st) (isc.sans.edu)
submitted 1 week ago by lemmydev2 to c/pulse_of_truth
3 comments fedilink hide all child comments
 

While hunting, I found an interesting picture. It's a PNG file that was concatenated with two interesting payloads. There are file formats that are good candidates to have data added at the end of the file. PNG is the case because the file format specifications says:

you are viewing a single comment's thread
view the rest of the comments
[–] FMT99@lemmy.world 4 points 1 week ago* (last edited 1 week ago) (2 children)

So how do these embedded scripts get extracted? You need a separate executable to do the actual extraction/execution?

[–] krogoth 5 points 1 week ago (1 children)

Yes. And you will have a good chance that the EDR wont flag the extractor since its not suspicious code per se.

[–] FMT99@lemmy.world 2 points 1 week ago

Interesting thanks!