Security analytics firm Mandiant recently uncovered a “never-before-seen” attack chain that used Base 64 encoding on at least two different websites to deliver the second-stage payload of a three-stage malware. The two sites were tech publication Ars Technica and video hosting site Vimeo.
A user posted a picture of a pizza on the Ars Technica forum with the caption, “I like pizza.” There was nothing inherently wrong with the image or text. However, the photo, hosted on a third-party website, had a URL containing with a Base 64 string. Base 64 converted to ASCII looks like random characters, but in this case, it obfuscated binary instructions to download and install the second stage of a malware package.
