Beware of the New ‘Blank Image’ Attack that Hides Malicious Scripts in Image Files

Avanan researchers have seen a new attack dubbed “Blank Image” spreading throughout the globe wherein hackers include blank images in HTML attachments. When opening the attachment, the user is automatically redirected to a malicious URL.

This email campaign begins with a document that purports to be from DocuSign, this appears to be very legitimate. The user is requested to review and sign the document after it is provided straight to them.

The link to DocuSign will take you to the official DocuSign website. The chain of actions started by the hackers begins when you click on the HTM attachment.

https://lh5.googleusercontent.com/6V_fOkDPnOPlY-ofJhFZ6bax6IZonUp8CcGxq9kp9txrId-yqDwmOgPsW8oAnGAceEKhLBBXwzg7iVvWH0Ohxh9iL84dhVPhgy92-TuHxlB1cdUpuIp1hKaces1tVecebtLLvjCShtBXQK75BfU5ig6ogcAbnxNmeNDXDb7-DbBQUWORr3JSGvQchuIpEAhttps://lh5.googleusercontent.com/6V_fOkDPnOPlY-ofJhFZ6bax6IZonUp8CcGxq9kp9txrId-yqDwmOgPsW8oAnGAceEKhLBBXwzg7iVvWH0Ohxh9iL84dhVPhgy92-TuHxlB1cdUpuIp1hKaces1tVecebtLLvjCShtBXQK75BfU5ig6ogcAbnxNmeNDXDb7-DbBQUWORr3JSGvQchuIpEA
Email used in the phishing campaign

A victim is directed to a legitimate DocuSign webpage if they click the “View Completed Document” button. However, the “Blank Image” assault is launched if they try to open the HTML attachment.

The HTML document includes a Base64-encoded SVG image with embedded JavaScript code that automatically reroutes the victim to the malicious URL.

Content of the HTML fileContent of the HTML file

Since the SVG image does not contain any graphics or shapes, nothing is displayed on the screen. Simply serving as a placeholder for the malicious script is all it does.

Deobfuscated SVG code featuring a circle element that has no parameters

“The hackers are hiding the malicious URL inside an empty image to bypass traditional scanning services”, Avanan.

The JavaScript embedded in the SVG image is executed when it is displayed by an HTML document using a <embed> or <iframe> tag.

Researchers say the SVG is blank in this DocuSign-themed campaign. Although the victim doesn’t see anything on their screen, the URL redirect code is still active.

“This is an innovative way to obfuscate the true intent of the message. It bypasses VirusTotal and doesn’t even get scanned by traditional Click-Time Protection”, researchers 

By layering obfuscation upon obfuscation, most security services are helpless against these attacks”

Therefore, any email with an HTML or.htm attachment should be avoided. Administrators ought to think about blocking HTML attachments and handling them similarly to executables (.exe, .cab).

Network Security Checklist – Download Free E-Book

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

New Phishing Attack Poses as Zoom Meeting Invites to Steal Login Credentials

A newly identified phishing campaign is targeting unsuspecting users by masquerading as urgent Zoom meeting…

27 minutes ago

New Hannibal Stealer Uses Stealth and Obfuscation to Evade Detection

A newly identified piece of malware, dubbed the "Hannibal Stealer," has emerged as a significant…

34 minutes ago

Chinese APT Hackers Target Organizations Using Korplug Loaders and Malicious USB Drives

Advanced persistent threat (APT) groups with ties to China have become persistent players in the…

42 minutes ago

Cache Timing Techniques Used to Bypass Windows 11 KASLR and Reveal Kernel Base

Cache timing side-channel attacks have been used to circumvent Kernel Address Space Layout Randomization (KASLR)…

1 hour ago

Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems

Cybersecurity researchers have unearthed a sophisticated attack leveraging AutoIT, a long-standing scripting language known for…

3 hours ago

New Report Finds 67% of Organizations Experienced Cyber Attacks in the Last Year

A disturbing 67% of businesses in eight worldwide markets—the US, UK, Spain, the Netherlands, Germany,…

3 hours ago