🛡 H3lium@infosec.exchange/:~# :blinking_cursor:​<p>Cybercriminals are using <a href="https://infosec.exchange/tags/Scalable_Vector_Graphics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Scalable_Vector_Graphics</span></a> (<a href="https://infosec.exchange/tags/SVG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SVG</span></a>) files to deliver malware because SVG is an XML-based vector image format for two-dimensional graphics that supports interactivity and animation. SVG files can natively contain <a href="https://infosec.exchange/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a> code, which can be executed by browsers when the SVG is loaded. <br> They do this by leveraging the <a href="https://infosec.exchange/tags/AutoSmuggle" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AutoSmuggle</span></a> tool introduced in May 2022. This tool embeds malicious files into SVG/HTML content, bypassing security measures. Notably, SVG files were exploited to distribute <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ransomware</span></a> in 2015 and the <a href="https://infosec.exchange/tags/Ursnif" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ursnif</span></a> malware in January 2017. A significant advancement occurred in 2022, with malware like <a href="https://infosec.exchange/tags/QakBot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QakBot</span></a> being delivered through SVG files containing embedded .zip archives. AutoSmuggle campaigns in December 2023 and January 2024 delivered the <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>XWorm</span></a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> and <a href="https://infosec.exchange/tags/Agent_Tesla" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Agent_Tesla</span></a> <a href="https://infosec.exchange/tags/Keylogger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Keylogger</span></a>, respectively, showcasing a shift towards embedding executable files directly within SVG files to evade detection by Secure Email Gateways (<a href="https://infosec.exchange/tags/SEGs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SEGs</span></a>). This evolution underscores the need for updated security measures to combat sophisticated malware delivery methods. <br> The misuse of SVG files for malware distribution dates back to 2015, with ransomware being one of the first to be delivered through this vector.<br> Original report: <a href="https://cofense.com/blog/svg-files-abused-in-emerging-campaigns/" rel="nofollow noopener" target="_blank">Cofense</a></p>