Beware SVG Smuggling: Stealthy Malware Hides in Images

Cybercriminals are turning harmless-looking SVG image files into self-contained malware delivery systems. A Latin American campaign, hitting Colombia hardest, uses urgent court-themed emails to trick recipients into opening oversized SVG attachments.

What happens next:

• The SVG opens in the browser and renders a fake judicial portal with a staged workflow, progress bars, and verification steps.
• It triggers the download of a password-protected ZIP; the password is conveniently shown on the page.
• Running the included executable advances the compromise, using DLL sideloading to blend in and ultimately deploy AsyncRAT.

Why this tactic works:

• The technique, known as SVG smuggling, was recently added to MITRE ATT&CK and is showing up in more attacks.
• SVGs can embed scripts, links, and interactivity inside XML, helping lures slip past some defenses and removing the need for external command-and-control.
• Each target receives a unique, bloated SVG (often over 10 MB) packed with randomized data to hinder detection. Artifacts suggest some files are AI-assisted, with boilerplate text, repetitive class names, and even invalid MD5s.

What AsyncRAT can do:

• Keystroke logging, screenshot capture, camera and mic hijacking, and theft of browser-stored credentials.

Notable clues from this campaign:

• One sample is detected by ESET as JS/TrojanDropper.Agent.PSJ (SHA1: 0AA1D24F40EEC02B26A12FBE2250CAB1C9F7B958).
• Detection telemetry showed mid-week spikes throughout August, suggesting a systematic operation.

How to stay safe:

• Treat unexpected SVG attachments as suspicious; real government agencies will not email you SVG files.
• Be wary of urgent legal threats in email. Do not click links or open attachments you did not request.
• Use strong, unique passwords and enable two-factor authentication.
• Keep reputable security software active on all devices.

Source: WeLiveSecurity