Malicious Hackers Abusing SVG Files to Insert Harmful JavaScript Code
In a concerning development, cyber threat actors have started using Scalable Vector Graphics (SVG) files as a stealthy delivery method for malware and phishing payloads. This tactic exploits the trust browsers place in SVG images and the complexity of scanning and filtering encoded or obfuscated scripts embedded inside files that are normally considered safe.
The malicious SVG files contain an obfuscated payload between script tags, which can self-decode or undergo multi-stage encoding. This JavaScript code is often hidden within the SVG, bypassing heuristics or keyword scans that check for known malicious patterns or suspicious text.
When users open the SVG in a browser, the embedded script decodes and executes, allowing malware execution or phishing redirects directly in the browser environment. After decoding and execution, the JavaScript often redirects users to phishing sites or drops malware by dynamically rewriting the DOM, injecting iframes, or initiating other malicious actions within the browser.
One characteristic of these attacks is the use of minimalist lure emails, often featuring a single icon or a "Missed Call" teaser. The attacks primarily target organisations with weak SPF, DKIM, or DMARC enforcement. To evade detection, the scripts are often masked with a ten-byte XOR key and each click is tracked with distinct Base64 strings that map to a workstation.
To mitigate this threat, organisations are advised to quarantine unsolicited SVGs and enable content disarm and reconstruction. Moving DMARC policies from monitoring to reject can also help. Additionally, correlating unusual command-line invocations with email telemetry can aid in detection.
As the attachments bypass signature checks, the first line of defence fails. However, by understanding this new threat vector and implementing appropriate countermeasures, organisations can better protect themselves against these precision-guided malware attacks.
[1] Source: Various security research reports and articles [5] Source: Reports from cybersecurity firms specialising in email security and threat intelligence.
- The use of SVG files by cyber threat actors for malware and phishing attacks illustrates the increasing role of technology, specifically in the form of obfuscated JavaScript code, in modern cybersecurity threats.
- To address the escalating issue of SVG-based malware attacks, organizations need to strengthen their technology defenses, employing measures such as content disarm and reconstruction, strict DMARC policies, and correlating email telemetry with command-line invocations.
