Cybercriminals are using #Scalable_Vector_Graphics (#SVG) files to deliver malware because SVG is an XML-based vector image format for two-dimensional graphics that supports interactivity and animation. SVG files can natively contain #JavaScript code, which can be executed by browsers when the SVG is loaded.
They do this by leveraging the #AutoSmuggle tool introduced in May 2022. This tool embeds malicious files into SVG/HTML content, bypassing security measures. Notably, SVG files were exploited to distribute #ransomware in 2015 and the #Ursnif malware in January 2017. A significant advancement occurred in 2022, with malware like #QakBot being delivered through SVG files containing embedded .zip archives. AutoSmuggle campaigns in December 2023 and January 2024 delivered the #XWorm #RAT and #Agent_Tesla #Keylogger, respectively, showcasing a shift towards embedding executable files directly within SVG files to evade detection by Secure Email Gateways (#SEGs). This evolution underscores the need for updated security measures to combat sophisticated malware delivery methods.
The misuse of SVG files for malware distribution dates back to 2015, with ransomware being one of the first to be delivered through this vector.
Original report: Cofense