Tuesday, May 6, 2025
HomeCyber Security NewsHackers Distributing Phishing Malware Via SVG Format To Bypass File Detection

Hackers Distributing Phishing Malware Via SVG Format To Bypass File Detection

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity experts at the AhnLab Security Intelligence Center (ASEC) have uncovered a novel phishing malware distribution method leveraging the Scalable Vector Graphics (SVG) file format to bypass detection mechanisms.

SVG, an XML-based vector image format widely used for icons, logos, charts, and graphs, enables the embedding of CSS and JavaScript scripts.

However, attackers are now exploiting its versatile design to craft and distribute malware undetected.

- Advertisement - Google News

ASEC first reported this technique in November 2024, identifying the abuse of SVG files to deliver malicious content. Since then, threat actors have refined their malware, embedding advanced techniques to evade detection.

The malicious SVG files typically masquerade under common filenames such as Play Voicemail Transcription. (387.KB).svg, MT103_0296626389_.svg, and Access Document Remittance_RECEIPT6534114638.svg, enticing victims into opening seemingly harmless attachments.

Technical Breakdown of the Malware

The malware employs Base64 encoding to embed malicious scripts within the file using the <script> tag’s src attribute.

Malicious script encoded in Base64
Malicious script encoded in Base64

While this method is often utilized for legitimate purposes, such as embedding images to reduce server requests, hackers have repurposed it to bypass security filters.

Upon decoding, the malware reveals obfuscated redirect URLs, which lead victims to phishing pages.

For instance, a decoded URL like hxxp://oK2Nv4ZWX6.moydow[.]de/[malicious_code] serves as a link to redirect users further into the attack chain.

Decoded code
Decoded code

At the final stage, it lands victims on a phishing URL, such as hxxps://[account domain].islaxw[.]es/#EmailAccount, designed to harvest sensitive information.

Sophisticated Anti-Analysis Techniques

Once redirected, the attackers employ several advanced countermeasures to hinder malware analysis:

  1. Blocking Automation Tools: Using detection scripts that identify automation tools like PhantomJS or web proxies like Burp Suite, the malware redirects users employing these tools to blank pages.
  2. Preventing Specific Keyboard Actions: Critical key combinations, such as F12 (Developer Tools) and Ctrl+U (View Source), are blocked to prevent inspecting the suspicious webpage.
  3. Disabling Right-Click: Scripts disable the right-click function to ensure analysts cannot interact with the page contextually.
  4. Debugging Detection: The malware measures code execution times using performance.now() to detect debugging activity. If debugging is detected, users are redirected to legitimate content to avoid suspicion.

Phishing Page and Malicious Actions

The phishing page mimics a CAPTCHA verification system, urging users to click a button to proceed.

CAPTCHA phishing page
CAPTCHA phishing page

This interaction secretly sends a GET request to malicious URLs like hxxps://w2cc.pnkptj[.]ru/kella@aok5y, enabling attackers to initiate further actions, including redirecting users to phishing sites disguised as Microsoft login pages.

With attackers increasingly exploiting SVG files for malware distribution, users must adopt security best practices:

  • Avoid Opening Suspicious Attachments: Avoid files, especially in SVG format, received from unknown sources.
  • Exercise Email Vigilance: Verify the legitimacy of emails before interacting with their contents.
  • Update Antivirus Solutions: Ensure robust malware detection systems to prevent threats.

ASEC urges users to remain vigilant against this growing trend, as hackers continuously refine their techniques to stay ahead of detection mechanisms.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...