Scalable vector graphics (.svg) files are lightweight, XML-based images that render at any resolution. They’re usually harmless, but they can also contain active code, and hackers appear to be relying on them more often as a means to stealthily deliver malware.
A new report from VirusTotal shows just how far that tactic has evolved, unearthing a campaign that used weaponized SVGs to drop malware, spoof a government agency, and dodge antivirus detection entirely.
44 previously undetected phishing SVGs
In its report published September 4, the Google-owned scanning platform said its Code Insight system had flagged an SVG file masquerading as a legal notification from Colombia’s judicial system.
When opened, the file rendered a realistic-looking web portal in-browser, complete with a fake progress bar and download button. That button then delivered a malicious ZIP archive containing a signed Comodo Dragon browser executable, along with a malicious .dll file that would be sideloaded if the .exe was run. This would then install more malware on the system.
The attack relied on a known but often overlooked feature that SVGs support embedded HTML and JavaScript. This means that they can be used like mini web pages — or, as in this case, full phishing kits — even when attached to an email or hosted on cloud storage. VirusTotal’s retrospective scan tied 523 SVG files to the same campaign, with 44 completely undetected by any antivirus engine at the time of submission.
According to VirusTotal’s findings, the source code of these SVGs contained code obfuscation techniques and “large amounts of dummy (garbage) code to increase entropy and evade static detection.”
Not an isolated case
Earlier this year, IBM X-Force documented SVG phishing campaigns targeting banks and insurance firms, and Cloudflare’s Cloudforce One threat team has tracked a sharp rise in SVGs acting as redirectors or fully encoded credential harvesters. Meanwhile, security vendors like Sophos have rolled out new detection rules after finding SVG payloads that bypassed filters.
Microsoft, for its part, is now retiring support for inline SVG rendering in Outlook for the web and the new Outlook for Windows. These will no longer be displayed, and instead, users will see empty spaces where they otherwise would have appeared. This closes off a powerful delivery vector for any attacker hoping to sneak active content into a message body.
For now, users should treat unknown SVG files with the same level of scrutiny they would for any other unknown file.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
