System integrators, service providers and essentially any professional responsible for safeguarding industrial automation and control systems (IACS) are inundated with a wealth of evolving sophisticated cyber threats. Malicious actors are always exploring innovative and covert methods to compromise systems and networks by bypassing traditional security measures, and one of the lesser-known exploitation tactics is the use of polyglot files.

These files represent a particularly insidious challenge for organizations managing critical operational infrastructure. When these files are deceptively exploited, they can create false impressions and assumptions about format identification, opening the door for a series of vulnerabilities that are prone to compromise, thus putting OT environments inherently more at risk.

With that in mind, it’s imperative to explore the severity of polyglot files and risk mitigation measures necessary to prevent their exploitation.

What Are Polyglot Files?

A polyglot file exists as a single file but that can be validly interpreted as multiple different file formats. 

The term “polyglot” historically referred to a multilingual speaker who adapts their communication to different audiences. Polyglot files present themselves differently depending on the application used to open them. For example, a single file may display an image when opened in a photo-viewing application, yet execute a malicious script when processed by a different application.

The duality of polyglot files exists due to structural differences in the specifications of each file type. Many formats allow their header identifiers to be positioned flexibly within the file’s memory space, potentially allowing other file headers to be embedded within or stored entirely within the file. 

Depending on the specification of the inserted secondary file type, most security systems will simply inspect the file type. Since polyglots adhere to the host file’s spec, they aren’t always flagged as corrupted, compromised or unusual. Many systems will typically classify them based on the most obvious indicator, like the file extension or byte value, but polyglots can contain multiple valid entries and headers. As such, it’s easier for hidden or suspicious content to be overlooked.

Types of Polyglots

Polyglot files vary in markup and sophistication depending on how embedded file types are integrated within the host file and their compatibility with incumbent formats:

• Stack polyglots: Where files are “stacked” or layered on top of each other. This type of polyglot is limited to formats that read from bottom to top, such as ZIP archives (as noticed in the PhantomPyramid case), meaning attackers can append malicious content to otherwise harmless files.
• Parasite polyglots: Where secondary files are embedded within the structural markup of the host file. This technique involves using metadata fields (like UTF-8 text comment segments) which are rarely used and often ignored to hide malicious payloads.
• Zipper polyglots: A more advanced type of parasite polyglot, where both file types embed each other’s data blocks within their incumbent comment sections, often when script files are merged to be interpreted by multiple engines.
• Cavity polyglots: Where malicious code is disguised as innocent files, which are embedded into unprocessed memory space within a file’s structure. These exploit gaps in file processing.

OT Cybersecurity Implications

In IT environments, polyglot files pose severe risks that traditional security measures may not always isolate. If OT environments are exposed, those risks are compounded. Industrial control systems often rely on legacy protocols that may not implement strong file validation mechanisms, and human-machine interfaces (HMIs) or engineering workstations, when processing these seemingly harmless files, may inadvertently execute malicious code.

If OT networks are not properly segmented, they could be susceptible to further infection and damage from one compromised workstation. Should attackers gain access to programmable logic controllers (PLCs), distributed control systems (DCS) or supervisory control and data acquisition (SCADA) systems by moving laterally through the network, the repercussions could be particularly severe. 

OT documentation and system diagrams may rely on various types of image file formats. These formats are particularly vulnerable to external threat actors who can exploit their metadata or EXIF structures, or comment fields to embed malicious payloads without affecting the file’s legitimacy on the surface. Social engineering tactics are commonly deployed when distributing malicious polyglot files within an OT environment, with common attack vectors being:

• Phishing campaigns that target engineers with legitimate system updates or technical documents, where images appear legitimate on the surface, while documents contain extraction scripts
• Insider and Man-in-the-Middle (MITM) attacks which exploit authorized access to introduce polyglot files through removable media or internal communication channels
• Supply chain attacks where malicious actors intercept communication pathways or distribution channels to deliver polyglot files disguised as system updates or T&C updates, etc.

The effectiveness and overall severity of a polyglot cyberattack are often driven by an inherent lack of awareness, training and recognition abilities in identifying split-payload attacks. 

OT Security Detection and Prevention Strategies

It would be naive to ignore the attack potential of polyglot files. As such, organizations must confront polyglot files by looking beyond standard antivirus and endpoint detection systems. They may analyze files based on their format and trigger an alert, but when polyglot files present themselves as benign images or documents, such protection software may not intuitively examine or scan embedded secondary formats.

Organizations can implement several defensive measures to mitigate polyglot file risks:

• Enhanced file validation processes to examine files for multiple format indicators (e.g. analyzing file headers, metadata and distribution patterns)
• Zero-trust philosophies that encourage treating all incoming files as malicious before subjecting them to deep analysis and sanitization before they enter the OT environment
• Network segmentation to restrict the potential impact of polyglot attacks by isolating critical OT systems from other distributed resources where files may be processed more regularly
• Regular security assessments, audits and training to evaluate security etiquette, posture and response strategies for these and similar advanced security threats

As threat actors continue to develop new polyglot file compromise techniques, maintaining vigilance and adaptability in detection and response remains vital in preserving OT environment integrity.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive regular emails with links to thought leadership, research and other insights from the OT cybersecurity community.