We've recently seen some examples of how cache smuggling can be used to deliver malicious content. Cache Smuggling relies on Outlook's default image caching behaviour to pull down an image file sent via email even if the Outlook client prevents viewing that image. In most configurations these days I would expect the image to be hidden until a user chooses to accept a warning. However, since the file gets cached, it is resident on disk, and can be referenced with simpler scripting techniques. For example, the Run window can execute up to 256 characters of commands, but if a concise script can reach into the file cache to retrieve the malicious content (this is the cache smuggling technique), it can appear benign, it won't have to download the malicious content (which most EDRs would detect) since it has already been cached, and the payload itself can be encrypted so its contents aren't detected by malware scanning. This post shows how the malicious payload can be smuggled in image EXIF data. We've also recently seen cases of obfuscated malicious content SVG metadata. The post itself is really good because it shows how a new technique can re-open a world of attacks that had been prevented by scanning or EDR. Can we expect EDR to introduce new detections for these new techniques? Absolutely, but this is a great example of how this battlefront is never stable.
Look At This Photograph - Passively Downloading Malware Payloads Via Image Caching
