SVG Phishing Malware Being Distributed with Analysis Obstruction Feature
AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format. SVG is an XML-based vector image file format commonly used for icons, logos, charts, and graphs, and it allows the use of CSS and JS scripts within the code. In November 2024, the ASEC Blog introduced SVG format malware, and it has since evolved into more sophisticated forms.
- Commonly Used File Names
Play Voicemail Transcription. (387.KB).svg
MT103_0296626389_.svg
DOC217_3052.svg
ATT78683.svg
Access Document Remittance_RECEIPT6534114638.svg
Figure 1. Malicious script encoded in Base64
The latest SVG malware contains malicious scripts embedded within the file, using the script tag’s src attribute with Base64 encoded data. This method, typically used to insert images into web pages to minimize server requests or create standalone pages, is now being exploited to bypass file detection.
Figure 2. Decoded code
The decoded code, as shown in Figure 2, includes an obfuscated redirect URL
- Redirect URL
hxxp://oK2Nv4ZWX6.moydow[.]de/aRghs76TyPdTWwfkOLkGoZRvtAKfi7SZIhk9vgovyVtf0Fl6Q86sq9CsNroQKjXHfbTWmJC49a5xoN1LdzgLlvse0zrGoqwJoaxHrElkA3a9Jn5xQbixSnS5KtaP3Hsj8j6usck0gto5qZoL44dKVbO6uQUwpokCD9qIQncUphBywUx8wta38JwOJcHKTKF6mbsxwNXG/MZz8BcXH4eB0RMRSQ5VqnN2doConZCsLAfBulS7bWQG7kNXIU2etgBMMODIaetz92FvV84lE36zALE52Z2qJBiGHbrUhnXd98X0PxQpDjc6nXZSW7GkWk6mHfLYx88VemLE678FkIXkK4ILAxSVW5yiMkWuMVe1sFdBc2lD4HlBqWWOfHT2D0REEiZFeYEMQOaQLaY33/[Email Account] - Final URL
hxxps://[Account Domain].islaxw[.]es/jfWNu1IAW/#[Email Account]
Figure 3. CAPTCHA phishing page
The redirected page masquerades as a CAPTCHA, prompting users to click a button. This page contains scripts designed to hinder analysis, with functionalities such as:
1. Blocking Automation Tools
Figure 4. Block code of the automation tool
This code checks the UserAgent and variables to detect web drivers, automation tools (PhantomJS), and proxy tools (Burp Suite). When these automation tools are detected, access is blocked by redirecting to a blank page.
2. Blocking Input of Specific Keys
Figure 5. Code that blocks the input of a specific key
If keyboard shortcuts such as opening developer tools and viewing source code are pressed, the behavior of the corresponding event is blocked. The blocked key combinations are as follows.
| key | function |
| F12 (keycode:123) | Open Developer Tools |
| Ctrl + U (keycode:85) | View Source Code |
| Ctrl + Shift + I (keycode:73) | Open Developer Tools |
| Ctrl + Shift + C (keycode:67) | Open Developer Tools + Select Element |
| Ctrl + Shift + J (keycode:74) | Open Developer Tools + Select Console |
| Ctrl + Shift + K (keycode:75) | Open Developer Tools + Select Console (Firefox) |
| Ctrl + H (keycode:72) | Open Browsing History |
| Command + Alt + I (keycode:73) | Open Developer Tools (Mac) |
| Command + Alt + C (keycode:67) | Open Developer Tools + Select Console (Mac) |
| Command + U (keycode:85) | View Source (Mac) |
Table 1. Block key combinations
3. Block Right-Click
Figure 6. Code to block right click
This code prevents the behavior of the right-click event when a user clicks the right mouse button on the page.
4. Debugging Detection
Figure 7. Code to detect debugging
The execution time of the code is measured using the performance.now() function. If it takes longer than a certain amount of time, it is assumed that the debugger is active, and the user is redirected to the legitimate site.
After passing these checks, if the user clicks the CAPTCHA verification button, a GET request is sent to the URL below, receiving a response that triggers further malicious actions. Although the current response is unknown, similar malware history suggests it leads to phishing sites impersonating Microsoft login pages.
- URL
hxxps://w2cc.pnkptj[.]ru/kella@aok5y
There is a growing trend in the distribution of malware using the SVG format, with increasingly sophisticated designs, necessitating user vigilance. Users should avoid opening files attached to emails from unknown sources, especially those in SVG format, and exercise caution.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
