Full Report
AhnLab SEcurity Intelligence Center (ASEC) has recently identified multiple instances of malware being distributed in Scalable Vector Graphics (SVG) format. An SVG file is an XML-based file format that represents scalable vector graphics. SVG files are primarily used for icons, charts, and graphs, and they support the use of CSS and JavaScript within the code. […] 게시물 Warning Against Malware in SVG Format Distributed via Phishing Emails이 ASEC에 처음 등장했습니다.
Analysis Summary
# Tool/Technique: SVG Malware (Downloader and Phishing Variants)
## Overview
Multiple instances of malware being distributed using the Scalable Vector Graphics (SVG) file format. SVG files, being XML-based and supporting CSS/JavaScript, are being weaponized to lure users via phishing emails. The malware is categorized into two main types: a downloader that fetches secondary malware, and a phishing type that steals credentials.
## Technical Details
- Type: Malware Distribution Technique/Malware
- Platform: Systems capable of rendering SVG files via web browsers (implied Windows/Desktop environments targeted by phishing).
- Capabilities: Leveraging embedded JavaScript/CSS in SVG for execution; Downloader functionality; Information Stealing/Backdoor deployment (via secondary payload).
- First Seen: Not specified in the text, but noted as "recently" increasing.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access:**
- **T1566 - Phishing**
- T1566.001 - Spearphishing Attachment
- **TA0002 - Execution:**
- **T1204 - User Execution**
- T1204.002 - Malicious File
- **TA0011 - Command and Control:**
- **T1071 - Application Layer Protocol** (Implied by network exfiltration in phishing type)
## Functionality
### Core Capabilities
- **Distribution Vector:** Delivered as attachments in phishing emails, relying on users opening the file.
- **Execution Method:** Execution is achieved when the SVG file is opened by a web browser, leveraging the supported scripting capabilities.
### Advanced Features
- **Downloader Type:** Contains hyperlinks within image content elements that automatically download secondary malware (password-protected compressed file) from legitimate file hosting services (Dropbox, Bitbucket). The password to the compressed file is provided in the SVG body. The downloaded payload is **AsyncRat**.
- **Phishing Type:** Contains obfuscated JavaScript code within image content elements. This script captures user-entered account information, Base64 encodes it, and sends it to the threat actor's server.
- **Evasion:** Hiding malicious code within image content elements makes the file appear benign to casual inspection.
## Indicators of Compromise
- File Hashes:
- **MD5:** `1cb57bf424b43b0fa31578e943abc294`, `62fe867077a03214208fa5c9f9f1c743`, `c3bd20a26cad5cd8d5ff8174f70966f0`, `d3acfbea0cfc732e819301c490b3bb89`
- File Names: N/A (Uses various names depending on the phishing lure, e.g., referencing PDF or Excel docs).
- Registry Keys: N/A
- Network Indicators:
- **C2/Hosting (Defanged):** Dropbox links, Bitbucket links (for payload delivery).
- **Exfiltration Server:** Unspecified server receiving Base64 encoded data (for phishing type).
- Behavioral Indicators: Execution of embedded JavaScript upon opening the SVG; Attempting to download external files; Uploading encoded credentials.
## Associated Threat Actors
- Not explicitly named, referred to as "The threat actor."
## Detection Methods
- **Signature-based detection:** Matching the provided file hashes (MD5).
- **Behavioral detection:** Monitoring for the execution of embedded scripts within SVG files, especially those attempting file downloads or network connections upon being opened by a browser.
- **YARA rules:** Can be developed based on unique obfuscation patterns or specific JavaScript payloads found within the SVG structure.
## Mitigation Strategies
- Refrain from opening files attached to emails, especially from unknown sources.
- Exercise extreme caution when encountering SVG file attachments.
- Implement email gateway filtering to block SVG attachments or flag them for heightened scrutiny.
- Configure user systems to treat SVG files conservatively, potentially bypassing standard browser processing for files downloaded from email.
## Related Tools/Techniques
- **AsyncRat:** The secondary malware payload deployed by the Downloader variant, known for information-stealing and backdoor capabilities.
- Other file-format based attacks utilizing embedded scripting (e.g., weaponized DOCM/XLSM files leveraging VBA/Macros).