Hackers Hiding Keylogger, RAT Malware in SVG Image Files
Critical Infrastructure Security , Cybercrime , Endpoint Security
New Campaign Evades Security Tools to Deliver Agent Tesla Keylogger and XWorm RAT
Threat actors are hiding malware in SVG image files to evade detection and deliver ransomware, download a banking Trojan and distribute malware.
Cofense Intelligence researchers in January observed a two-month campaign that used SVG files to deliver Agent Tesla Keylogger and XWorm RAT malware. The researchers advise security teams to remind users to watch for unexpected downloads upon opening an SVG file, the telltale sign of a compromise.
The Scalable Vector Graphic file format uses mathematical equations to describe images, which enables them to be scaled without loss of image quality and makes them suitable for diverse design applications.
AutoSmuggle, an open-source tool released in May 2022, enables threat actors to embed malicious files within SVG or HTML content, bypassing security measures such as secure email gateways and increasing the chances of successful malware delivery.
The use of SVG files for malware delivery was first observed in 2015, but researchers said hackers have refined their tactics to bypass security measures and successfully distribute harmful payloads. SVG files distributed Ursnif malware in 2017 and were used to smuggle .zip
archives containing QakBot malware 2022.
In the Agent Tesla Keylogger campaigns in December 2023 and January 2024, emails contained attached SVG files that, when opened, delivered embedded .zip
archives. These archives initiated a series of payload downloads, culminating in the execution of Agent Tesla Keylogger. Threat actors modified AutoSmuggle-generated SVG files to enhance their deceptive capabilities.
The XWorm RAT campaigns featured varying infection chains. Some used embedded links leading to SVG files, and others used attached SVG files directly.
These files initiated the download of .zip
archives containing payloads for executing XWorm RAT. The SVG files used in these campaigns lacked the sophistication observed in Agent Tesla Keylogger campaigns and featured blank pages upon opening.
The researchers recommend robust mitigation strategies against SVG-based malware threats. Traditional defenses that rely on file extensions are inadequate in the face of evolving malware tactics.