Threat actors are exploiting SVG files to deliver obfuscated JavaScript that redirects victims to attacker-controlled sites with Base64-encoded tracking. This technique bypasses traditional detection by embedding malicious scripts in image files delivered via spoofed emails. #SVGSmuggling #JavaScriptRedirect #PhishingCampaign
Keypoints
- Attackers embed obfuscated JavaScript within SVG filesโ CDATA script sections to execute browser redirects.
- The phishing emails use spoofed or impersonated senders exploiting weak SPF, DKIM, and DMARC configurations to increase success.
- Redirect URLs are constructed dynamically using atob() and contain Base64 strings for victim tracking.
- Delivery relies on direct SVG attachments or links to externally hosted SVG images, bypassing traditional antivirus detection.
- The campaign targets B2B service providers, including those handling corporate, financial, and employee data.
- Attack infrastructure includes short-lived domains with randomized subdomains to evade static filtering.
- Mitigation recommendations include enforcing strict email authentication, blocking SVG attachments, and user awareness training.
MITRE Techniques
- [T1204.002] User Execution: Malicious SVG files are delivered via spoofed emails that prompt the user to open the file in a browser. (โEmail spoofing and impersonation are used to deliver the SVGs and increase the likelihood of user engagement.โ)
- [T1566] Phishing: Initial access is gained through spoofed or impersonated email messages containing malicious SVG attachments or links. (โInitial access is gained through a phishing campaign using spoofed or impersonated email senders.โ)
- [T1059.004] Command and Scripting Interpreter: JavaScript embedded within SVG files is executed to perform browser redirects. (โObfuscated JavaScript is embedded within sections.โ)
- [T1071.001] Application Layer Protocol: The payload uses browser-native JavaScript functions like atob() and window.location.href for redirecting to attacker URLs. (โThe final malicious URL is assembled using atob() and executed via window.location.href.โ)
- [T1587.001] Develop Capabilities: Use of XOR encryption to obfuscate secondary payloads within SVG files. (โThe embedded code uses a static XOR key to decrypt a secondary payload at runtime.โ)
Indicators of Compromise
- [File Names] Malicious SVG files used in phishing campaigns โ examples include files with extension .svg containing embedded JavaScript.
- [Domains] Attacker-controlled domains used for redirect infrastructure โ examples include randomized or subdomain-based domains with low reputation and short lifespans.
- [Email Headers] Spoofed sender domains lacking DKIM and DMARC enforcement โ observed domains with missing or misconfigured SPF, DKIM, and DMARC records.
Read more: https://www.ontinue.com/resource/blog-svg-smuggling/