“`html
Cyber offenders have started taking advantage of Scalable Vector Graphics (SVG) files as advanced attack channels, converting what appear to be innocuous image files into powerful phishing tools capable of running harmful JavaScript on Windows platforms.
This rising danger exploits the XML-based format of SVG files to incorporate and execute harmful scripts upon being opened in default web browsers, circumventing standard security protocols that usually target traditional executable files.
In contrast to conventional image formats like JPEG or PNG which encode pixel information, SVG files employ XML-based syntax to delineate vector paths, shapes, and textual components.
This inherent variation provides an opening for attackers to integrate JavaScript code within the file structure, executing automatically when the SVG file is accessed in a browser.
The assault primarily targets Windows systems where SVG files open in default web browsers, facilitating instant script execution without any user action required beyond simply opening the file.
Seqrite security analysts have detected a complex operation utilizing this method, noting that attackers have been disseminating harmful SVG files via spear-phishing emails featuring misleading subject lines such as “Reminder for your Scheduled Event” and attachments labeled “Upcoming Meeting.svg” or “Your-to-do-List.svg.”
.webp)
The operation additionally employs cloud storage solutions such as Dropbox, Google Drive, and OneDrive to distribute harmful files while circumventing email security systems.
This attack exhibits notable technical sophistication, with threat actors utilizing various evasion tactics to ensure persistence and evade detection by conventional security mechanisms.
Technical Infection Mechanism and Code Obfuscation
The harmful SVG files encompass embedded “ tags within CDATA sections to obscure malicious logic from basic content scanners. Security experts found that attackers utilize a hex-encoded string variable (Y) in conjunction with a brief XOR key (q) for payload obfuscation.
When processed, this encoded information decrypts into executable JavaScript employing window.location = 'javascript:' + v; syntax to redirect victims to phishing websites.
Upon successful decryption, the payload reroutes users to command-and-control infrastructure, specifically hxxps://hju[.]yxfbynit[.]es/koRfAEHVFeQZ!bM9, which employs Cloudflare CAPTCHA gates before displaying convincing Office 365 login screens designed for credential harvesting.
“`