Cybercriminals have repurposed Scalable Vector Graphics (SVG) files to deliver malware, a technique that has evolved significantly with the advent of the AutoSmuggle tool.
Introduced in May 2022, AutoSmuggle facilitates embedding malicious files within HTML or SVG content, making it easier for attackers to bypass security measures.
Early and Notable Malware Deliveries via SVG
The misuse of SVG files for malware distribution dates back to 2015, with ransomware being one of the first to be delivered through this vector.
In January 2017, SVG files were used to download the Ursnif malware via URLs. A significant leap occurred in 2022 when SVGs delivered malware like QakBot through embedded .zip archives, showcasing a shift from external downloads to HTML smuggling techniques.
AutoSmuggle’s Role in Malware Campaigns
AutoSmuggle’s release on GitHub in 2022 marked a turning point. The tool embeds executable files or archives into SVG/HTML files, which are then decrypted and executed upon opening by the victim.
This method cleverly evades Secure Email Gateways (SEGs) that would typically detect and quarantine direct email attachments.
Two notable AutoSmuggle campaigns began in December 2023 and January 2024, delivering XWorm RAT and Agent Tesla Keylogger, respectively.
Methods of Malware Delivery via SVG
According to CoFense report, SVG files can deliver malware in two primary ways:
- JavaScript Direct Download: The original SVG files contained embedded URLs that, when opened, triggered the download of a malicious payload. Later versions displayed an image to distract the victim while the download occurred.
- HTML Style Embedded Object: More recent SVG files contain the malicious payload within, eliminating the need for external resources. These files often rely on the victim’s curiosity to interact with the delivered file.
Campaign Analysis: Agent Tesla and XWorm RAT
The Agent Tesla Keylogger campaign was characterized by emails with attached SVG files that led to an embedded .zip archive containing a JavaScript file, which then initiated a series of downloads culminating in the execution of the keylogger.
The XWorm RAT campaign differed in its approach, with three distinct infection chains involving PDFs, embedded links, and direct SVG attachments, ultimately leading to the delivery of XWorm RAT via various scripting files.
Divergence from AutoSmuggle in Campaigns
Upon analysis, the SVG files used in these campaigns showed slight modifications from the standard AutoSmuggle-generated files.
For instance, the Agent Tesla campaign SVGs included redirecting to a legitimate-looking Maersk webpage, enhancing the deception.
The XWorm RAT campaign SVGs, on the other hand, displayed a blank page instead of an image, a less sophisticated approach compared to the Agent Tesla campaign.
The use of SVG files in malware delivery, particularly with tools like AutoSmuggle, represents an evolving threat landscape where attackers continuously adapt to circumvent security defenses.
Understanding these techniques is crucial for developing more effective countermeasures against such sophisticated cyber threats.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.