Warning: Hackers Are Hiding Dangerous Malware in SVG Image Files
Cybercriminals are constantly evolving their tactics, and their latest method involves a file type many people consider harmless: the SVG image. A new, sophisticated phishing campaign has been identified that uses Scalable Vector Graphics (SVG) files to distribute the notorious AsyncRAT malware, a powerful tool that can give attackers complete control over a victim’s computer.
This campaign demonstrates a significant shift in attack strategy, exploiting user trust in common image formats to bypass security measures and trick unsuspecting victims. The attacks primarily impersonate official government bodies, such as the Colombian Directorate of National Taxes and Customs (DIAN), to create a false sense of legitimacy and urgency.
How the SVG Malware Attack Works
The infection process is multi-staged and carefully designed to evade detection. Understanding the steps involved is crucial for recognizing and preventing this threat.
The Deceptive Email: The attack begins with a phishing email that appears to be an official notification, such as a tax summons or a legal notice. The message pressures the recipient to open the attached file for more details.
The Malicious SVG Attachment: Unlike a typical Word document or PDF, the attachment is an SVG file. Most users and many basic email filters recognize SVGs as simple images, making them less likely to be flagged as suspicious. However, SVG files are built on XML code, which means they can contain embedded scripts, like JavaScript.
Hidden Script Execution: When the victim opens the SVG file in a modern web browser, the hidden JavaScript code executes automatically. This script is the trigger for the next stage of the attack.
Downloading the Payload: The malicious JavaScript contacts an external server and downloads a compressed ZIP archive. To further conceal its intent, this archive is often disguised with a double extension (e.g., “document.pdf.zip”).
Final Execution via VBScript: Inside the ZIP file is a VBScript (.VBS) file. Once the user extracts and runs this script, it initiates the final download and installation of the AsyncRAT payload onto the system.
Why Are Attackers Using SVG Files?
The choice of SVG files is a deliberate and cunning strategy. Attackers leverage several key advantages:
- Evasion of Security Scanners: Many email security gateways are configured to heavily scrutinize common malicious file types like .exe, .js, or .docm, but may not apply the same level of inspection to image files like SVGs.
- Exploiting User Trust: The average person does not associate image files with malware. This inherent trust makes users more likely to open an SVG attachment without suspicion.
- Versatility of Scripts: Because SVGs can contain JavaScript, they serve as a perfect Trojan horse to initiate a more complex infection chain that would otherwise be blocked.
The Dangers of AsyncRAT
The final payload in this campaign, AsyncRAT, is a highly capable Remote Access Trojan. Once installed, it grants attackers extensive control over the infected machine. Its capabilities include:
- Keystroke logging to capture passwords, financial details, and private conversations.
- Screen recording and capturing screenshots to monitor user activity.
- Accessing the webcam and microphone for surveillance.
- Stealing files and sensitive data from the computer.
- Executing remote commands, allowing attackers to install more malware or use the machine in a botnet.
How to Protect Yourself and Your Organization
Defending against this evolving threat requires a combination of technical controls and user awareness. Follow these essential security practices:
- Treat All Unsolicited Attachments with Suspicion: Even if an email appears to be from a legitimate source, be extremely cautious about opening attachments you were not expecting. If an email from a government agency seems suspicious, contact them directly through their official website or phone number to verify its authenticity.
- Inspect File Extensions: Always be aware of the full file extension. A file named “invoice.svg” is an image that can contain a script, not a standard document. Be especially wary of files with double extensions.
- Implement Advanced Email Security: Use an email security solution that can perform deep content inspection and analyze attachments beyond simple file-type blocking. Solutions that can identify and block malicious scripts within files are essential.
- Educate Your Users: Human vigilance is the best line of defense. Train employees and colleagues to recognize the signs of phishing, understand the risks of unusual file types, and know how to report suspicious emails.
- Keep Systems and Software Updated: Ensure your operating system, web browser, and antivirus software are always up-to-date. Patches often contain critical security fixes that can protect against malware execution techniques.
Source: https://securityaffairs.com/181917/malware/svg-files-used-in-hidden-malware-campaign-impersonating-colombian-authorities.html
