TL;DR:

- Exploit allows attacker to execute local shell commands on DB server, through queries

- Attacker wget's image file with embedded executable binary

- Attacker runs binary

- Antiviruses are less likely to see the cryptominer when it is embedded within the picture.

It seems like the real issue here is the capacity to execute these local shell commands through the database, not the fact that the image had an executable binary embedded within it.