SVG Files: The Emerging Vector of Cyber Threats

A recent report by Cofense, an industry leader in email security, has uncovered two new alarming campaigns showcasing the rising threat of SVG files in the cybercrime world. SVG, which stands for Scalable Vector Graphic, is an image file format often perceived as harmless. However, this report details how threat actors are cleverly weaponizing SVGs to deliver dangerous malware.

Infection chain of notable SVG file delivery campaigns

A History of SVG Abuse in Cybercrime

While the recent campaigns may have caught attention, Cofense’s analysis shows that SVG abuse isn’t entirely new. Malicious actors have been experimenting with SVGs since at least 2015 when they were first used to deliver ransomware. However, 2022 saw a turning point with the release of the AutoSmuggle tool, which dramatically simplified the process of embedding malware within seemingly innocent SVG files.

AutoSmuggle represents a pivotal development in the malware delivery arena. By embedding executable or archive files within SVG or HTML files, the malicious content is seamlessly delivered to victims upon opening the seemingly benign SVG/HTML file. This technique, known as HTML smuggling, exploits the trust placed in image files and HTML content, allowing attackers to smuggle malware past security measures.

The strategic use of SVG files, as demonstrated in recent campaigns, underscores the adaptability of threat actors. By modifying the content or structure of these files, attackers can create compelling lures that bypass SEGs, thereby increasing the success rate of their campaigns.

Details of the December 2023 and January 2024 Campaigns

• XWorm RAT – Granting Remote Control: Threat actors targeted victims with carefully crafted SVG files designed to deploy the XWorm RAT. Once installed, XWorm provides attackers with a frightening level of control over infected machines, allowing them to pilfer data, install additional malware, or even hijack systems for further attacks.

• Agent Tesla Keylogger – Spying on Every Keystroke: This campaign focused on spreading the insidious Agent Tesla Keylogger. Its sole purpose is to record a victim’s keystrokes, capturing passwords, financial details, and other confidential information.

The Evolving Threat from SVG Files

The report by Cofense sheds light on the evolving nature of SVG-based attacks. SVGs have been used to deliver a wide range of malware, including Ursnif, QakBot, and even tools to exploit known software vulnerabilities. This versatility makes SVGs a significant threat vector in today’s cybersecurity landscape.

Understanding SVG Exploitation Techniques

Here’s a breakdown of the primary methods cybercriminals use to leverage SVGs for malware delivery:

1. JavaScript Direct Download: The SVG contains code that triggers the download of a malicious file from a remote server. Simple visual distractions, such as basic shapes, can be used to mask this action.

2. HTML Style Embedded Object: Here, the malware is directly hidden inside the SVG file. When opened, the SVG releases the malware and might use additional trickery to persuade the victim to execute the harmful file.

Staying Safe in a World of SVG Threats

• Proactive Defense: Cybersecurity is no longer about simply reacting to attacks. Proactive measures are crucial. Regular software updates, strong email security filters, and a general mistrust of unexpected files are vital.

• Beyond Just Images: SVG files should never be treated as harmless image files. Be wary of SVGs received from unknown senders, or found on untrusted websites.

• Training is Key: Educate employees to spot red flags in emails. This includes training on how to recognize phishing attempts with suspicious attachments – even those with unusual file extensions like .svg.