Hackers Use SVG Files to Evade Malware Detection

The AhnLab Security Intelligence Center (ASEC) recently uncovered a sophisticated phishing malware campaign that leverages Scalable Vector Graphics (SVG) files, a format traditionally used for icons, logos, and charts.

SVG files, based on XML, allow the integration of CSS and JavaScript, enabling attackers to embed malicious scripts and links within the file.

This method has gained traction due to its ability to bypass traditional email security systems.

Evolution of SVG Malware

ASEC first highlighted the use of SVG files for malware distribution in November 2024. Since then, attackers have refined their techniques, embedding obfuscated scripts encoded in Base64 within the <script> tag’s src attribute.

Base64 encoding, commonly used for legitimate purposes like embedding images in web pages, is being exploited to evade detection by security tools.

Once decoded, these scripts redirect victims to phishing sites or trigger malicious downloads.

For example:

xml<script src="data:text/javascript;base64,aW5zZXJ0ZWRfYmFzZTY0X2NvZGU="></script>

Upon decoding, the script reveals a URL redirecting users to phishing pages masquerading as CAPTCHA verification sites.

These pages employ advanced anti-analysis measures to detect automation tools and debugging attempts.

Common Attack Techniques

1. Obfuscated URLs: The decoded scripts often redirect users to URLs such as: texthxxp://oK2Nv4ZWX6.moydow[.]de/aRghs76TyPdTWwfkOLkGoZRvtAKfi7SZIhk9vgovyVtf0Fl6Q86sq9CsNroQKjXHfbTWmJC49a5xoN1LdzgLlvse0zrGoqwJoaxHrElkA3a9Jn5xQbixSnS5KtaP3Hsj8j6usck0gto5qZoL44dKVbO6uQUwpokCD9qIQncUphBywUx8wta38JwOJcHKTKF6mbsxwNXG/MZz8BcXH4eB0RMRSQ5VqnN2doConZCsLAfBulS7bWQG7kNXIU2etgBMMODIaetz92FvV84lE36zALE52Z2qJBiGHbrUhnXd98X0PxQpDjc6nXZSW7GkWk6mHfLYx88VemLE678FkIXkK4ILAxSVW5yiMkWuMVe1sFdBc2lD4HlBqWWOfHT2D0REEiZFeYEMQOaQLaY33/[Email Account]
2. Anti-Analysis Mechanisms: The malicious pages block automation tools like PhantomJS and Burp Suite by checking the UserAgent string and redirecting detected tools to blank pages. Additionally, key combinations such as F12 (Developer Tools) and Ctrl+Shift+I are disabled using JavaScript. Example code snippet: javascriptdocument.addEventListener('keydown', function(e) { if (e.keyCode === 123 || (e.ctrlKey && e.shiftKey && e.keyCode === 73)) { e.preventDefault(); } });
3. CAPTCHA Phishing Pages: Victims are presented with CAPTCHA-like interfaces designed to appear legitimate. Users are redirected to phishing sites impersonating platforms like Microsoft Office 365 after clicking the verification button.
4. Right-Click Blocking: JavaScript prevents right-click functionality to hinder the inspection of page elements: javascriptdocument.addEventListener('contextmenu', function(e) { e.preventDefault(); });

Broader Implications

Sophos and other cybersecurity firms have reported a surge in SVG-based attacks since late 2024.

These attacks exploit the trust associated with SVG files, which are often perceived as harmless image formats.

Cybercriminals embed malicious JavaScript or hyperlinks within SVG files sent via phishing emails, targeting platforms like Gmail, Outlook, and Dropbox.

Sophos observed that these campaigns frequently impersonate trusted brands such as Microsoft SharePoint and DocuSign.

Victims are lured into clicking on embedded links or transparent overlays within SVG files, leading to credential theft or malware downloads.

Recommendations

To mitigate the risks posed by SVG-based phishing attacks:

• Avoid opening email attachments from unknown sources.
• Implement advanced email security solutions capable of detecting obfuscated threats.
• Educate users about the risks associated with seemingly benign file formats like SVG.
• Regularly update antivirus software to detect emerging threats.

The increasing sophistication of SVG malware highlights the need for heightened vigilance and robust cybersecurity measures.

As attackers continue to exploit this versatile file format, organizations must remain proactive in defending against evolving phishing tactics.

Also Read: