Hidden Malware in Images Evades Antivirus, VirusTotal Warns
▼ Summary
– SVG files are lightweight, XML-based images that can contain active code, making them an increasingly popular tool for hackers to deliver malware stealthily.
– A recent campaign used weaponized SVGs to impersonate Colombia’s judicial system, displaying a fake web portal that delivered a malicious ZIP archive when interacted with.
– These malicious SVGs leveraged embedded HTML and JavaScript to function like phishing kits, with many evading antivirus detection due to code obfuscation and dummy content.
– SVG-based attacks are not isolated, as multiple security firms have documented rising use in campaigns targeting sectors like banking and employing redirectors or credential harvesters.
– Microsoft is retiring inline SVG support in Outlook to close this attack vector, and users should treat unknown SVG files with caution like any other suspicious file.
A recent security alert from VirusTotal has exposed a sophisticated malware campaign that cleverly conceals malicious code within seemingly harmless Scalable Vector Graphics (SVG) files, allowing it to bypass traditional antivirus detection. This method leverages the inherent ability of SVG files to embed active scripts, turning what appears to be a simple image into a functional phishing portal capable of delivering dangerous payloads.
The investigation identified a specific campaign where threat actors distributed SVG files disguised as official legal notifications from Colombia’s judicial system. When opened, these files displayed a convincing imitation of a government web portal, complete with a progress bar and a download button. Clicking the button triggered the delivery of a malicious ZIP archive containing a signed browser executable and a harmful DLL file designed for sideloading, ultimately installing additional malware on the victim’s system.
VirusTotal’s retrospective analysis linked 523 SVG files to this operation, with 44 of them completely undetected by any antivirus software at the time they were submitted. The malicious SVG code used obfuscation and inserted large amounts of meaningless data to increase complexity and evade static analysis tools.
This is not an isolated trend. Earlier this year, IBM X-Force reported similar SVG-based attacks aimed at financial and insurance organizations. Cloudflare’s threat intelligence team also noted a significant increase in SVG files being used either as redirectors or as fully functional credential harvesters. In response, several security firms, including Sophos, have introduced updated detection rules to identify these disguised threats.
Microsoft has taken proactive measures by disabling inline SVG rendering in its web and new Windows versions of Outlook. This change means SVG content will no longer display within emails, effectively shutting down a major delivery method for these attacks.
For the time being, users are advised to treat SVG files with the same caution as any unfamiliar attachment. Exercising vigilance with unexpected or unsolicited files remains one of the most effective ways to avoid falling victim to such evolving threats.
(Source: Tom’s Hardware)
