Cybersecurity researchers have uncovered a sophisticated malware campaign that exploits SVG (Scalable Vector Graphics) files and email attachments to distribute dangerous Remote Access Trojans, specifically XWorm and Remcos RAT.<\/p>\n
This emerging threat represents a significant evolution in attack methodologies, as threat actors increasingly turn to non-traditional file formats to bypass conventional security defenses.<\/p>\n
The campaign employs multiple delivery vectors, including direct email attachments containing malicious EML files and URLs hosted on trusted platforms like ImageKit.<\/p>\n
These ZIP archives contain highly obfuscated BAT scripts that serve as the initial infection stage, utilizing advanced techniques to evade static detection mechanisms.<\/p>\n
The malware\u2019s fileless execution approach enables it to operate entirely in memory, making detection considerably more challenging for traditional endpoint protection solutions.<\/p>\n
Seqrite researchers identified<\/a> two distinct campaign variants during their analysis, revealing an evolving threat landscape where attackers continuously refine their techniques.<\/p>\n The first campaign delivers BAT scripts directly through email attachments, while the second introduces SVG files embedded with JavaScript as a novel delivery mechanism.<\/p>\n These SVG files appear as legitimate image files but contain embedded scripts that automatically trigger malicious payload downloads when rendered in vulnerable environments or embedded within phishing pages<\/a>.<\/p>\n The attack chain demonstrates remarkable sophistication in its execution methodology. Once the initial ZIP file is extracted, victims encounter a heavily obfuscated BAT script designed to appear benign while executing complex malicious operations.<\/p>\n This script leverages PowerShell to perform in-memory payload injection, effectively bypassing traditional file-based detection systems.<\/p>\n The malware employs sophisticated evasion techniques that target core Windows security mechanisms. The PowerShell<\/a> component programmatically disables both AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) through dynamic .NET reflection and delegate creation.<\/p>\n The attack resolves native functions including GetProcAddress, GetModuleHandle, VirtualProtect, and AmsiInitialize to locate and patch the AmsiScanBuffer function in memory.<\/p>\n The persistence mechanism involves creating BAT files within the Windows Startup folder, ensuring automatic execution upon system restart or user login.<\/p>\n The PowerShell script searches for Base64-encoded payloads hidden within batch file comments, specifically targeting lines prefixed with triple-colon markers.<\/p>\n These payloads undergo multiple layers of decryption, including AES decryption using hardcoded keys and GZIP decompression before final execution.<\/p>\n The loader component functions as a critical intermediary, extracting and executing embedded .NET assemblies directly in memory using Assembly.Load operations.<\/p>\n This approach eliminates the need for disk-based file creation, significantly reducing detection probability while maintaining full operational capability for deploying XWorm<\/a> and Remcos RAT payloads.<\/p>\n The post New Malware Attack Leverages SVGs, Email Attachments to Deliver XWorm and Remcos RAT<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhXf_-O3w_zFk-xaCRNlxvQkclQHOiBdkbu3il8Nwfb6jqwNoUi6LjAm5LTTnqX4E5iSsis3mKAtH2J0VReMrtW9ianTWJcgLQMiYNO123WA-jX4Tnbr8P_rMGZa1st1Bg7zHLF020fCvPvoWoEx-vRofKQSIazqZAOCwgTXPeLIKCVAAziUOwSWj66CuM\/s16000\/Infection%2520Chain%2520%28Source%2520-%2520Seqrite%29.webp?ssl=1\")
Advanced Evasion and Persistence Mechanisms<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2cZK8mlGo4h0WzIcFD0lv0fPgVgoROaW6w2skOaQ2553Wf4-mihFYwymjHC_LCJMW-4VWDvJFW3pvDSUVGvTOPSKlge_FDtIR4b8ywqa_6QIer7f1HTwNmFtBJ_K0HBN8hHfXtjFxfQnL0zlFi2uv-esANnVWSMqfei53NqnvCF7NyUUfVFZ4JWBDI3U\/s16000\/Obfuscated%2520and%2520deobfuscated%2520bat%2520files%2520%28Source%2520-%2520Seqrite%29.webp?ssl=1\")
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n