Keypoints
- SVG files have been used for malware delivery since 2015, evolving from external-download JavaScript to embedded HTML-style smuggling.
- The open-source tool AutoSmuggle (GitHub, May 2022) automates embedding of executables/archives into SVG/HTML, commonly using a base64ToArrayBuffer method.
- Two recent campaigns (Dec 2023 and Jan–Feb 2024) leveraged SVG smuggling: one delivered XWorm RAT (≈30% of XWorm activity during that timeframe) and another delivered Agent Tesla Keylogger (≈5% of Agent Tesla activity).
- Infection chains commonly used phishing emails with attached SVGs or links that deliver an embedded .zip archive containing JavaScript, VBS, or WSF scripts that download further payloads from BlogSpot and other free file-hosting services.
- Threat actors modified AutoSmuggle output (removed AutoSmuggle-added image lines and added redirects such as to Maersk) to make downloads appear legitimate and increase user interaction.
- SVG-style smuggling evades Secure Email Gateways by disguising payloads as image/HTML content rather than direct attachments, then decrypting/decoding when opened in a browser.
MITRE Techniques
- [T1193] Spearphishing Attachment – Phishing emails were used to deliver initial SVG files as attachments or via embedded links. [’emails each had an attached SVG file which, when opened, would deliver an embedded .zip archive.’]
- [T1566.002] Phishing: Spearphishing Link – Some campaigns used emails with embedded links to download malicious SVG files. [’embedded link that downloaded an SVG file which dropped an embedded .zip archive when it was opened.’]
- [T1204.002] User Execution: Malicious File – Victims are tricked into opening SVG files, triggering the smuggled payload execution. [‘when the SVG or HTML file is opened, the “smuggled” file is delivered.’]
- [T1027] Obfuscated Files or Information – AutoSmuggle embeds and obfuscates malicious files (e.g., base64 embedding) inside SVG/HTML to evade detection. [‘.zip archives embedded in the SVG files’ and ‘base64ToArrayBuffer’]
- [T1001.002] Data Obfuscation: Steganography – SVGs hide malicious content inside image-like structures, reducing suspicion compared to HTML/archives. [‘SVG files are often treated as image files rather than files containing commands.’]
- [T1059.007] Command and Scripting Interpreter: JavaScript – JavaScript in SVGs was used to download or reconstruct payloads. [‘JavaScript file, which would download a series of payloads’]
- [T1105] Ingress Tool Transfer – Secondary payloads were downloaded from external hosting (BlogSpot, free file hosts) as part of the chain. [‘starting with a payload hosted on BlogSpot’ and ‘download a series of payloads from free file hosting services’]
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Delivered malware attempted persistence by adding itself to startup locations. [‘attempts to establish persistence by adding itself to startup locations.’]
- [T1082] System Information Discovery – Secondary scripts performed environment and system checks before executing stages. [‘the second stage VB script performs checks to gather information about the victim’s system and environment.’]
- [T1055] Process Injection – Final payloads used injection techniques via an Injector DLL to run inside legitimate processes (e.g., attrib.exe, RegSvcs.exe). [‘inject the final payload into legitimate processes like attrib.exe or RegSvcs.exe.’]
- [T1505.003] Software Packing: Runtime Packing – Malware used packing/packing-like techniques to hinder analysis and detection. [‘The malware employs packing techniques to hide its true nature and evade analysis.’]
Indicators of Compromise
- [Repository/URL] AutoSmuggle GitHub repo – https://github.com/surajpkhetani/AutoSmuggle (tool used to generate smuggled SVGs)
- [URL/Source] Campaign payload hosting – BlogSpot URLs used to host initial payloads, and other free file-hosting services were used to host subsequent payloads.
- [File type] Embedded archives and scripts – embedded .zip archives (contain JavaScript, VBS, or WSF scripts) – examples: “embedded .zip archive”, “JavaScript file”, and other VBS/WSF scripts.
- [CVE] Exploit chaining – CVE-2023-5631 used in chaining with SVG smuggling to compromise Roundcube servers.
- [Domain/Redirect] Impersonation redirect – Maersk webpage used as a redirect/cover in modified SVGs to make downloads appear legitimate.
SVG files can carry malicious payloads either by using embedded external-download JavaScript or by embedding entire archives inside the file (HTML-style smuggling). AutoSmuggle automates embedding executables/archives into SVG/HTML by encoding payloads (commonly via a base64ToArrayBuffer technique) so that, when the SVG is opened in a browser, the embedded .zip is reconstructed and presented as a downloaded file.
Observed infection chains typically begin with a phishing email containing an attached SVG or an embedded link that downloads an SVG. The opened SVG drops an embedded .zip archive that contains a JavaScript, VBS, or WSF script; these scripts then download additional payloads from BlogSpot or other free file-hosting services, decode/decrypt intermediate stages, and execute final families such as Agent Tesla (keylogger) or XWorm RAT. Variations included PDF attachments with embedded links, direct SVG attachments, and different script types in the archive (JS, VBS, WSF).
Threat actors modified AutoSmuggle-generated SVGs by removing the auto-added image line and, in some Agent Tesla samples, adding a redirect (for example to a Maersk page) to make the download appear to originate from a legitimate site; XWorm samples instead displayed a blank page. These small template changes indicate reuse of AutoSmuggle with light customization to increase user interaction and evade email gateway detection.
Read more: https://cofense.com/blog/svg-files-abused-in-emerging-campaigns/