A recent investigation by AhnLab Security Intelligence Center (ASEC) has uncovered a phishing malware distributed in Scalable Vector Graphics (SVG) format. This malware embeds malicious scripts encoded in Base64, effectively using SVG’s capabilities to evade detection. It exploits users by redirecting them to counterfeit CAPTCHA pages which are designed to hinder analysis and capture sensitive information. Affected: users, online platforms, phishing sector
Keypoints :
- Phishing malware is being distributed using SVG files.
- Malicious scripts in SVG are encoded with Base64 to evade detection.
- Redirects to fake CAPTCHA pages are used to collect user data.
- The malware blocks automation tools and specific keyboard shortcuts to avoid detection.
- The phishing trend is growing, urging users to be cautious with SVG files.
MITRE Techniques :
- T1060: Resource Hijacking – Exploiting SVG capabilities to embed malicious scripts.
- T1071: Application Layer Protocol – Using HTTP(S) for communication with redirect URLs.
- T1203: Exploitation for Client Execution – Relying on user interaction with the SVG files to execute phishing.
- T1490: Ingress Tool Transfer – Use of the web to obtain malicious payloads through SVG format.
- T1566: Phishing – Conducting phishing attacks via disguised CAPTCHA pages.
Indicator of Compromise :
- [URL] hxxp://oK2Nv4ZWX6.moydow[.]de/aRghs76TyPdTWwfkOLkGoZRvtAKfi7SZIhk9vgovyVtf0Fl6Q86sq9CsNroQKjXHfbTWmJC49a5xoN1LdzgLlvse0zrGoqwJoaxHrElkA3a9Jn5xQbixSnS5KtaP3Hsj8j6usck0gto5qZoL44dKVbO6uQUwpokCD9qIQncUphBywUx8wta38JwOJcHKTKF6mbsxwNXG/MZz8BcXH4eB0RMRSQ5VqnN2doConZCsLAfBulS7bWQG7kNXIU2etgBMMODIaetz92FvV84lE36zALE52Z2qJBiGHbrUhnXd98X0PxQpDjc6nXZSW7GkWk6mHfLYx88VemLE678FkIXkK4ILAxSVW5yiMkWuMVe1sFdBc2lD4HlBqWWOfHT2D0REEiZFeYEMQOaQLaY33/[Email Account]
- [URL] hxxps://[Account Domain].islaxw[.]es/jfWNu1IAW/#[Email Account]
- [URL] hxxps://w2cc.pnkptj[.]ru/kella@aok5y
- [MD5] 42565c1c9ecedd937439713e20838b3a
- [MD5] caad49bc4c408e6af8aea813cec6cb0b
Full Story: https://asec.ahnlab.com/en/87078/