Full Report
AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format. SVG is an XML-based vector image file format commonly used for icons, logos, charts, and graphs, and it allows the use of CSS and JS scripts within the code. In November 2024, the ASEC Blog introduced SVG […]
Analysis Summary
# Tool/Technique: SVG Phishing Malware (Sophisticated Variant)
## Overview
This is a sophisticated phishing malware being distributed within Scalable Vector Graphics (SVG) files. The primary purpose is to deliver payloads or redirect users to phishing sites, employing obfuscation and anti-analysis features embedded within the SVG's JavaScript/CSS content to thwart automated inspection.
## Technical Details
- Type: Malware (Phishing Payload Delivery)
- Platform: Web Browsers (Affected when opening malicious SVG files, likely executed client-side)
- Capabilities: Malicious script execution within SVG, Base64 encoding for obfuscation, redirection to phishing infrastructure, real-time anti-analysis techniques (automation blocking, debugging detection).
- First Seen: Evolved version identified around March 2025 (Contextual date).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (The SVG file acts as the attachment)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.003 - Web Session Cookie (Applicable to techniques for disguising code)
- T1497 - Virtualization/Sandbox Evasion
- T1497.001 - Virtualization Checks (Implied by automation/debugger checks)
## Functionality
### Core Capabilities
- **Script Embedding:** Malicious JavaScript is embedded within the SVG file using the `<script src="...">` attribute, with the source data being heavily Base64 encoded.
- **Initial Redirection:** Decodes the Base64 data to reveal an obfuscated redirect URL.
- **Phishing Lure:** Redirects the user to an intermediate page disguised as a CAPTCHA verification prompt.
### Advanced Features
- **Automation Tool Blocking:** Actively checks `UserAgent` strings and environmental variables to detect and block automated analysis tools such as PhantomJS, Burp Suite, and general web drivers by redirecting to a blank page.
- **Debugger Detection:** Uses timing checks (`performance.now()`) to detect if code execution is slowed down by an active debugger, redirecting users to the legitimate site if debugging is suspected.
- **Keyboard Shortcut Blocking:** Intercepts and blocks common browser shortcuts used by analysts to access developer tools or view source code, including F12, Ctrl+U, Ctrl+Shift+I/C/J/K, and corresponding Mac shortcuts.
- **Right-Click Prevention:** Disables the right-click context menu to hinder simple inspection methods.
- **Final Payload Trigger:** Upon successful "CAPTCHA verification" clicks, a GET request is sent to a designated URL, which is expected to pull down the final phishing content (e.g., Microsoft login impersonation page).
## Indicators of Compromise
- File Hashes:
- MD5: `42565c1c9ecedd937439713e20838b3a`
- MD5: `caad49bc4c408e6af8aea813cec6cb0b`
- File Names: `Play Voicemail Transcription. (387.KB).svg`, `MT103_0296626389_.svg`, `DOC217_3052.svg`, `ATT78683.svg`, `Access Document Remittance_RECEIPT6534114638.svg`
- Registry Keys: [Not specified]
- Network Indicators:
- Initial Redirect: `hxxp://oK2Nv4ZWX6.moydow[.]de/aRghs76TyPdTWwfkOLkGoZRvtAKfi7SZIhk9vgovyVtf0Fl6Q86sq9CsNroQKjXHfbTWmJC49a5xoN1LdzgLlvse0zrGoqwJoaxHrElkA3a9Jn5xQbixSnS5KtaP3Hsj8j6usck0gto5qZoL44dKVbO6uQUwpokCD9qIQncUphBywUx8wta38JwOJcHKTKF6mbsxwNXN/MZz8BcXH4eB0RMRSQ5VqnN2doConZCsLAfBulS7bWQG7kNXIU2etgBMMODIaetz92FvV84lE36zALE52Z2qJBiGHbrUhnXd98X0PxQpDjc6nXZSW7GkWk6mHfLYx88VemLE678FkIXkK4ILAxSVW5yiMkWuMVe1sFdBc2lD4HlBqWWOfHT2D0REEiZFeYEMQOaQLaY33/[Email Account]`
- Final Payload Trigger URL: `hxxps://w2cc.pnkptj[.]ru/kella@aok5y`
- Behavioral Indicators: Execution of scripts upon opening the SVG, rapid client-side redirection, attempts to detect browser inspection tools, blocking of standard browser events (right-click, key combinations).
## Associated Threat Actors
- [Not explicitly named, but attributed to actors utilizing sophisticated phishing campaigns.]
## Detection Methods
- Signature-based detection: Signatures based on the known file hashes.
- Behavioral detection: Monitoring for scripts embedded within image files (especially SVG) that attempt to execute or manipulate browser DOM/events heavily. Detecting redirects originating from image files.
- YARA rules: Rules targeting specific Base64 payloads or anti-analysis JavaScript constructs within SVG/XML structures.
## Mitigation Strategies
- Avoid opening file attachments from unknown or untrusted sources, especially files with unusual extensions for documents, like SVG.
- Configure email gateways to scan and potentially strip malicious file types like SVG that can contain executable scripts.
- Application whitelisting may prevent unauthorized execution paths, though SVG rendering is typically browser-dependent.
- Enable and maintain strong endpoint protection capable of detecting malicious JavaScript behavior in web contexts.
## Related Tools/Techniques
- Previous SVG format malware variants (introduced in Nov 2024).
- General phishing techniques utilizing CAPTCHA pages for secondary verification steps.