Cybercriminals have begun exploiting Scalable Vector Graphics (SVG) information as subtle assault vectors, remodeling seemingly innocent picture information into potent phishing weapons able to executing malicious JavaScript on Home windows methods.
This rising risk leverages the XML-based construction of SVG information to embed and execute malicious scripts when opened in default internet browsers, bypassing conventional safety measures that usually concentrate on typical executable information.
In contrast to customary picture codecs akin to JPEG or PNG that retailer pixel information, SVG information make the most of XML-based code to outline vector paths, shapes, and textual content components.
This basic distinction creates a chance for attackers to embed JavaScript code inside the file construction, which executes mechanically when the SVG file is opened in a browser.
The assault primarily targets Home windows methods the place SVG information launch in default internet browsers, enabling instant script execution with out consumer intervention past opening the file.
Seqrite safety researchers have recognized a complicated marketing campaign using this system, observing attackers distributing malicious SVG information by way of spear-phishing emails with misleading topic strains like “Reminder in your Scheduled Occasion” and attachments named “Upcoming Assembly.svg” or “Your-to-do-Listing.svg.”
Assault chain of SVG marketing campaign (Supply – Seqrite)
The marketing campaign additionally makes use of cloud storage platforms together with Dropbox, Google Drive, and OneDrive to distribute malicious information whereas evading electronic mail safety filters.
The assault demonstrates outstanding technical sophistication, with risk actors leveraging a number of evasion methods to keep up persistence and keep away from detection by conventional safety options.
Technical An infection Mechanism and Code Obfuscation
The malicious SVG information include embedded “ tags inside CDATA sections to hide malicious logic from primary content material scanners. Safety researchers found that attackers make use of a hex-encoded string variable (Y) paired with a brief XOR key (q) for payload obfuscation.
When processed, this encoded information decrypts into executable JavaScript that makes use of window.location = ‘javascript:’ + v; syntax to redirect victims to phishing websites.
Upon profitable decryption, the payload redirects customers to command-and-control infrastructure, particularly hxxps://hju[.]yxfbynit[.]es/koRfAEHVFeQZ!bM9, which employs Cloudflare CAPTCHA gates earlier than presenting convincing Workplace 365 login types designed for credential harvesting.
Equip your SOC with full entry to the most recent risk information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
