Thursday, June 20, 2024

Beware of the New ‘Blank Image’ Attack that Hides Malicious Scripts in Image Files

Avanan researchers have seen a new attack dubbed “Blank Image” spreading throughout the globe wherein hackers include blank images in HTML attachments. When opening the attachment, the user is automatically redirected to a malicious URL.

This email campaign begins with a document that purports to be from DocuSign, this appears to be very legitimate. The user is requested to review and sign the document after it is provided straight to them.

The link to DocuSign will take you to the official DocuSign website. The chain of actions started by the hackers begins when you click on the HTM attachment.

https://lh5.googleusercontent.com/6V_fOkDPnOPlY-ofJhFZ6bax6IZonUp8CcGxq9kp9txrId-yqDwmOgPsW8oAnGAceEKhLBBXwzg7iVvWH0Ohxh9iL84dhVPhgy92-TuHxlB1cdUpuIp1hKaces1tVecebtLLvjCShtBXQK75BfU5ig6ogcAbnxNmeNDXDb7-DbBQUWORr3JSGvQchuIpEA
Email used in the phishing campaign

A victim is directed to a legitimate DocuSign webpage if they click the “View Completed Document” button. However, the “Blank Image” assault is launched if they try to open the HTML attachment.

The HTML document includes a Base64-encoded SVG image with embedded JavaScript code that automatically reroutes the victim to the malicious URL.

Content of the HTML file

Since the SVG image does not contain any graphics or shapes, nothing is displayed on the screen. Simply serving as a placeholder for the malicious script is all it does.

Deobfuscated SVG code featuring a circle element that has no parameters (empty)
Deobfuscated SVG code featuring a circle element that has no parameters

“The hackers are hiding the malicious URL inside an empty image to bypass traditional scanning services”, Avanan.

The JavaScript embedded in the SVG image is executed when it is displayed by an HTML document using a <embed> or <iframe> tag.

Researchers say the SVG is blank in this DocuSign-themed campaign. Although the victim doesn’t see anything on their screen, the URL redirect code is still active.

“This is an innovative way to obfuscate the true intent of the message. It bypasses VirusTotal and doesn’t even get scanned by traditional Click-Time Protection”, researchers 

By layering obfuscation upon obfuscation, most security services are helpless against these attacks”

Therefore, any email with an HTML or.htm attachment should be avoided. Administrators ought to think about blocking HTML attachments and handling them similarly to executables (.exe, .cab).

Network Security Checklist – Download Free E-Book

Website

Latest articles

1inch partners with Blockaid to enhance Web3 security through the 1inch Shield

1inch, a leading DeFi aggregator that provides advanced security solutions to users across the...

Hackers Exploit Progressive Web Apps to Steal Passwords

In a concerning development for cybersecurity, hackers are increasingly leveraging Progressive Web Apps (PWAs)...

INE Security: Optimizing Teams for AI and Cybersecurity

2024 is rapidly shaping up to be a defining year in generative AI. While...

Threat Actor Claims Breach of Jollibee Fast-Food Gaint

A threat actor has claimed responsibility for breaching the systems of Jollibee Foods Corporation,...

Threat Actors Claiming Breach of Accenture Employee Data

Threat actors have claimed responsibility for a significant data breach involving Accenture, one of...

Diamorphine Rootkit Exploiting Linux Systems In The Wild

Threat actors exploit Linux systems because they are prevalent in organizations that host servers,...

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles