Phishing Campaigns Leverage SVG Files with Embedded JavaScript for Redirection
Threat actors are increasingly using Scalable Vector Graphic (SVG) files containing obfuscated JavaScript to bypass security filters and redirect victims to malicious phishing pages.
A new wave of phishing attacks is employing Scalable Vector Graphic (SVG) files as a delivery mechanism for malicious payloads. These SVG files, typically used for web graphics and icons, are being weaponized to host JavaScript code designed to redirect unsuspecting users to phishing websites. This technique is not entirely new, but its current prevalence and specific implementation warrant attention.
The SVG files in this campaign are notably simple, often lacking any graphical elements. Instead, their primary function is to embed a piece of JavaScript. This script contains variables that hold encoded information, such as the targeted email address, which is Base64 encoded. For instance, the variable nl decodes to handlers@sans.edu.
The core of the malicious payload resides in the oa variable, which contains a string that is both Base64 encoded and XOR encrypted. The XOR key required for decryption is embedded within the bd variable, which is constructed from pt and rm constants. The script then utilizes a function, likely atob (inferred from self[[cx[4], cx[3], cx[2], cx[0]].join('')]), to decode the Base64 string, and subsequently applies the XOR decryption using the provided key.
Once decrypted, the resulting payload is used to redirect the victim's browser. The window.location.href function is employed to navigate the user to a malicious URL, often appended with the decoded email address. The example provided shows a redirection to hxxps://chinougoo[.]cfd/W74rH61S!x7sbhhS0bKPv/handlers@sans.edu. The use of the .cfd top-level domain is also noteworthy, as it is a less common TLD increasingly abused in phishing campaigns due to its lower cost and perceived legitimacy.
This method of delivery is effective because SVG files are often handled directly by web browsers on operating systems like Windows without triggering immediate security alerts. Furthermore, the attackers are employing a specific MIME type for the embedded script: <script type="application/ecmascript">. This is a valid MIME type for ECMAScript (the standard for JavaScript) and is likely used to circumvent security controls that specifically look for the more common type="text/javascript" or simply type="JavaScript".
By using SVG files with embedded, obfuscated JavaScript and a less common MIME type, threat actors aim to bypass traditional email security filters and antivirus solutions that might flag traditional JavaScript attachments or executables. The redirection to a phishing page then aims to harvest credentials or other sensitive information from the victim.
Security professionals are advised to be vigilant against these types of sophisticated phishing lures. While the current campaign appears focused on credential harvesting via phishing pages, the underlying technique could be adapted to deliver other types of malware or payloads. Organizations should ensure their email security gateways are configured to inspect SVG attachments for malicious scripts and educate users about the risks associated with unexpected attachments, even those that appear to be simple images.