Cybercriminals are exploiting SVG files by embedding harmful JavaScript to deploy malware on Windows systems.

Cybercriminals have started to exploit Scalable Vector Graphics (SVG) files as advanced attack vectors, turning seemingly innocuous image files into powerful phishing tools capable of executing malicious JavaScript on Windows systems. This emerging threat takes advantage of the XML-based structure of SVG files, allowing attackers to embed and execute harmful scripts when these files are opened in default web browsers. Unlike traditional image formats such as JPEG or PNG, which store pixel data, SVG files use XML code to define vector paths, shapes, and text elements. This unique characteristic enables the embedding of JavaScript code within the file, which executes automatically upon opening the SVG file in a browser. Seqrite security researchers have identified a sophisticated campaign that employs this technique, with attackers distributing malicious SVG files through spear-phishing emails featuring deceptive subject lines like “Reminder for your Scheduled Event” and attachments named “Upcoming Meeting.svg” or “Your-to-do-List.svg.”

The campaign also utilises cloud storage platforms such as Dropbox, Google Drive, and OneDrive to distribute these malicious files, effectively evading email security filters. This attack showcases remarkable technical sophistication, as threat actors employ various evasion techniques to maintain persistence and avoid detection by traditional security solutions. The malicious SVG files contain embedded “ tags within CDATA sections to obscure harmful logic from basic content scanners. Security researchers have discovered that attackers use a hex-encoded string variable (Y) combined with a short XOR key (q) for payload obfuscation. When processed, this encoded data decrypts into executable JavaScript that redirects victims to phishing sites using the syntax `window.location = ‘javascript:’ + v;`. Upon successful decryption, the payload directs users to command-and-control infrastructure, specifically hxxps://hju[.]yxfbynit[.]es/koRfAEHVFeQZ!bM9, which employs Cloudflare CAPTCHA gates before presenting convincing Office 365 login forms designed for credential harvesting.

Recent HTTP request smuggling attacks have affected content delivery networks (CDNs), large organizations, and millions of websites.

Summary of Cybersecurity Updates – Vulnerabilities in Chrome and Gemini, malware targeting Linux, and a new Man-in-the-Prompt attack.

Malicious actors are currently taking advantage of weaknesses in the open-source ecosystem to distribute harmful software.

Malicious actors exploit smart contracts to siphon over $900,000 from user cryptocurrency wallets.

Guide for Preventing Man-in-the-Middle Attacks

Similar Posts