Warning: Hackers Are Now Hiding Malware in SVG Image Files
Cybercriminals are constantly evolving their tactics, and a new, stealthy campaign highlights their ingenuity by using a seemingly harmless file type to deploy dangerous malware: the SVG image file. This sophisticated phishing attack leverages Scalable Vector Graphics (SVG) files to bypass security measures and install potent information-stealing trojans on victim systems.
This method is particularly deceptive because SVG files are typically associated with legitimate images and logos, not malicious code. However, their underlying structure makes them a perfect vehicle for attacks.
How the SVG Phishing Attack Works
The attack begins with a classic phishing email. These emails are designed to look like urgent business communications, such as an invoice, a receipt, or a contractual document. Attached to the email is an SVG file, disguised with an icon that mimics a standard PDF or text document.
When an unsuspecting user clicks to open the attachment, they aren’t met with a traditional image viewer. Instead, the SVG file opens in their web browser. This is where the trap is sprung.
Unlike standard image formats like JPG or PNG, SVG files are built on XML code, which can contain embedded scripts, such as JavaScript. In this campaign, threat actors have embedded malicious JavaScript directly into the SVG file. Once opened in a browser, this script executes automatically, redirecting the user to a malicious website. This site then prompts the download of a ZIP archive containing the final malware payload.
The entire process is quick and can appear legitimate to the untrained eye, making it an incredibly effective delivery method.
Why This Technique is So Dangerous
This attack vector is effective for several key reasons:
- Evasion of Security Filters: Many email security gateways and antivirus programs are configured to scrutinize common malicious file types like
.exe,.docm, or.zip. SVG files are often considered safe and are not subjected to the same level of inspection, allowing them to slip past defenses and into a user’s inbox. - High User Trust: Most people are trained to be wary of executable files, but few would suspect an image file of harboring malware. This misplaced trust makes them more likely to open the attachment without hesitation.
- Multi-Stage Attack: The initial SVG file is not the malware itself but a downloader. This multi-stage approach makes it harder for security software to detect the threat in the initial scan, as the malicious payload is only retrieved after the user interacts with the file.
The Payload: The Ursnif Information-Stealing Trojan
The malware being delivered in this campaign has been identified as Ursnif (also known as Gozi), a notorious and highly dangerous banking trojan. Once installed on a system, Ursnif is designed to steal a wide range of sensitive information, including:
- Online banking credentials
- Email account passwords
- Browser cookies and history
- System information
- Keystrokes (keylogging)
A successful Ursnif infection can lead to devastating financial loss, identity theft, and further network compromise as attackers use the stolen credentials to move laterally through an organization.
How to Protect Yourself and Your Organization
Defending against this type of evolving threat requires vigilance and a multi-layered security approach. Here are actionable steps to stay safe:
- Treat All Attachments with Suspicion: Never open an attachment from an unknown sender. Even if the sender appears legitimate, verify that the email is expected, especially if it contains an unusual file type like an SVG pretending to be a document.
- Inspect File Extensions: Always check the full file name of an attachment before opening it. A file named “Invoice.pdf.svg” is an SVG file, not a PDF. Train yourself and your employees to spot these deceptive file names.
- Enhance Email Security: Ensure your organization uses an advanced email security solution that can analyze file behavior and detect embedded malicious scripts, rather than just scanning for known file signatures.
- Educate and Train Users: User awareness is the first line of defense. Regular cybersecurity training should cover new and emerging threats, including the misuse of non-traditional file types in phishing attacks.
- Maintain Robust Endpoint Protection: Use a modern endpoint detection and response (EDR) solution that can identify and block malicious processes, even if the initial file bypasses email filters.
As cybercriminals continue to innovate, our defensive strategies must adapt. By understanding these new attack vectors and promoting a culture of security awareness, we can better protect our sensitive data from sophisticated threats.
Source: https://www.bleepingcomputer.com/news/security/virustotal-finds-hidden-malware-phishing-campaign-in-svg-files/
