Warning Against Malware in SVG Format Distributed via Phishing Emails
AhnLab SEcurity Intelligence Center (ASEC) has recently identified multiple instances of malware being distributed in Scalable Vector Graphics (SVG) format. An SVG file is an XML-based file format that represents scalable vector graphics. SVG files are primarily used for icons, charts, and graphs, and they support the use of CSS and JavaScript within the code. The threat actor is exploiting these features to distribute various types of SVG malware.
The SVG malware is being distributed as an attachment in phishing emails, and the email body includes instructions on how to execute the file. When an SVG file is executed in the usual way, it opens through a web browser.
Figure 1. Phishing email
The SVG malware currently being distributed can be divided into two types. The first type is the downloader type, which prompts users to download a PDF file. The second type is the phishing type, which encourages users to enter their account information to view an Excel document. The following figures show the content of SVG files that are currently being distributed.
Figure 2. SVG malware types
Upon examining the internal code, the downloader type is found to have hyperlinks set in image content elements, which download additional malware from the linked address. The threat actor is mostly using legitimate file hosting services like Dropbox and Bitbucket for hyperlink addresses. The downloaded file is a password-protected compressed file, and the password can be found in the body when the SVG is executed. Inside the compressed file is an AsyncRat malware strain, which has information-stealing and backdoor capabilities.
Figure 3. Downloader type
In the case of the phishing type, obfuscated JS code can be found within the image content elements, and it performs the function of encoding entered account information in Base64 and sending it to the threat actor’s server.
In this way, SVG malware hides the code that performs malicious functions within image content elements, making it difficult for regular users to recognize the file as malicious.
Figure 4. Phishing type
Recently, malware is being created using various formats, and the distribution of SVG format malware is increasing. Users should refrain from opening files attached to emails from unknown sources, and special caution is needed if the file is in SVG format.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
