Criminals are using SVG Files to serve malware

Security experts at AppRiver firm have discovered a malicious campaign that is distributing a strain of ransomware via SVG files.

Researchers at the AppRiver security firm have uncovered a malicious campaign that is distributing a strain of ransomware by exploiting SVG files.

The SVG (Scalable Vector Graphics) is an XML-based vector image format for two-dimensional graphics with support for animation and interactivity. The SVG images include the definition of their behaviors in XML text files, this feature makes possible SVG image can be searched, indexed, scripted, and compressed. Despite SVG images can be created and edited with any text editor, more often they are created directly with a software that elaborates the images.

Also in this case the attack vector is the email that in the specific case appears to have a resume attached. The attachment is a ZIP archive containing an SVG file. The experts at AppRiver noticed that threat actors in the wild are exploiting a small JavaScript entry contained in the SVG files that allow them to redirect victims to a website used to serve the Cryptowall malware.

“These SVG files however contained a small javascript entry that would open a webpage to download some malware.” AppRiver researchers said in a blog post. “The IP link in question ends up forwarding to another domain where a zip is downloaded of the actual exe payload. It didn’t auto execute, user interaction would still be needed for that. “

When the victims open the malicious SVG file, their PC is infected by the ransomware that start encrypting files and request the payment of a ransom.

“Crypto ransomware has proven many times it is effective for attackers in getting users to actually pay the ransom. The tactic is still alive and likely to continue evolving. With the attacks still being prevalent, it’s a good idea to make sure you are covered with data backups that cannot be potentially accessed by the malware (it’s been known to encrypt network shares and NAS units),” consitnue the report from AppRiver.

By analyzing the source code of the malware served in the campaign the experts noticed that it contains hardcoded SQL commands that appear to target a school’s database.

“And the interesting bit of info I noticed while looking at the exe that was downloaded, was that it had sql commands hard coded in it. Looking closer they all seemed related to a potential schools sql database. Some of the recipients we stopped this malware for were schools but nothing seemed out of the ordinary with the volume of recipients, which was low volume in general. While it’s possible the malware had other intentions from encrypting in mind, like to wreak havoc in a sql database, this was from a strings output so it was all plain text and the table naming conventions just seem a little too plain as well. However, someone knowing sql table names or a school using a plain naming convention could be problematic if the malware were to attempt to attain access and do its thing.” continues the post.

Another possibility is that malware authors have inserted the SQL commands in the source code in order to deceive investigators and make harder the analysis.

“While these appeared to be part of valid functions, it looks like they were not used during testing. Though it’s possible there were very specific parameters that needed to be met for this to go active and attempt sql changes,” 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SVG file, ransomware)