Full Report
When a Magecart payload hides inside the EXIF data of a dynamically loaded third-party favicon, no repository scanner will catch it – because the malicious code never actually touches your repo. As teams adopt Claude Code Security for static analysis, this is the exact technical boundary where AI code scanning stops and client-side runtime execution begins. A detailed analysis of where Claude
Analysis Summary
# Tool/Technique: EXIF-Encoded Magecart (Steganography in Favicons)
## Overview
This technique involves the obfuscation and delivery of malicious JavaScript (Magecart) by embedding the payload within the EXIF (Exchangeable Image File Format) metadata of a favicon image file. By hosting the malicious image on a third-party server or CDN and loading it dynamically at runtime, attackers bypass static repository scanners and AI-driven code security tools that only inspect the site's primary codebase.
## Technical Details
- **Type**: Malware / Steganography Technique
- **Platform**: Web Browsers (Client-side)
- **Capabilities**: Data skimming, credential harvesting, evasion of static analysis.
- **First Seen**: Variants of EXIF-based steganography have been observed since ~2020 (notably the "Macaroon" campaign).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise
- **TA0005 - Defense Evasion**
- T1027.003 - Obfuscated Files or Information: Steganography
- T1553.003 - Subvert Trust Controls: SIP and Trust Provider Hijacking (via 3rd party CDNs)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Steganographic Loading**: Malicious script is hidden in metadata fields (like "Copyright" or "Artist") within an `.ico` or `.png` file.
- **Dynamic Execution**: A small, seemingly benign "loader" script on the target site fetches the image, parses the EXIF data, and executes the hidden string using `eval()` or `new Function()`.
- **Evasion of Static Analysis**: Because the malicious payload is hosted on a third-party domain and resides within an image file, static analysis tools (like Claude Code Security or SonarQube) see only a standard image request.
### Advanced Features
- **Third-Party Impersonation**: Uses legitimate-looking domains or compromised subdomains to host the favicon.
- **Selective Execution**: Often includes checks to ensure the script only runs on checkout or login pages to minimize noise.
## Indicators of Compromise
- **File Hashes**: *Varies by campaign; specific hashes require the full dataset.*
- **File Names**: `favicon.ico`, `logo.png`, `icon.png`
- **Network Indicators**:
- Requests to unauthorized third-party CDNs or unusual domains (e.g., `cdn-images-check[.]com`).
- Data exfiltration to domains imitating payment processors.
- **Behavioral Indicators**:
- DOM manipulation on payment fields.
- Unexpected use of `eval()` or `atob()` on data retrieved from an image object.
- `XMLHttpRequest` or `fetch` requests targeting image files followed by script execution.
## Associated Threat Actors
- **Magecart Groups** (specifically Group 9 and Group 12 have historically used steganography).
## Detection Methods
- **Behavioral Detection**: Monitor for the execution of code derived from non-script resources (Content-Type mismatch).
- **Network Inspection**: Inspecting the content of image files for ASCII strings that look like JavaScript (e.g., `;`, `var`, `window.`).
- **CSP Monitoring**: Use Content Security Policy (CSP) violation reports to identify unauthorized external requests.
## Mitigation Strategies
- **Content Security Policy (CSP)**: Implement a strict `script-src` and `connect-src` to prevent the loading of scripts/data from unauthorized domains.
- **Subresource Integrity (SRI)**: Use SRI for any third-party scripts.
- **Metadata Stripping**: Ensure that all images served by your own CDNs have EXIF data stripped.
- **Runtime Protection**: Employ Client-Side WAFs or specific Magecart detection services that monitor for unauthorized DOM changes and data exfiltration at runtime.
## Related Tools/Techniques
- **CSS Steganography**: Hiding data in CSS properties.
- **Webskimming**: The broader category of injecting malicious scripts into e-commerce sites.
- **Polyglot Files**: Files that are valid as two different file formats (e.g., a valid GIF and a valid JS file).