Hackers Hiding Keylogger, RAT Malware in SVG Image Files

Threat actors are hiding malware in SVG image files to evade detection and deliver ransomware, download a banking Trojan and distribute malware.

See Also: Live Webinar | Secrets Detection: Why Coverage Throughout the SDLC is Critical to Your Security Posture

Cofense Intelligence researchers in January observed a two-month campaign that used SVG files to deliver Agent Tesla Keylogger and XWorm RAT malware. The researchers advise security teams to remind users to watch for unexpected downloads upon opening an SVG file, the telltale sign of a compromise.

The Scalable Vector Graphic file format uses mathematical equations to describe images, which enables them to be scaled without loss of image quality and makes them suitable for diverse design applications.

AutoSmuggle, an open-source tool released in May 2022, enables threat actors to embed malicious files within SVG or HTML content, bypassing security measures such as secure email gateways and increasing the chances of successful malware delivery.

The use of SVG files for malware delivery was first observed in 2015, but researchers said hackers have refined their tactics to bypass security measures and successfully distribute harmful payloads. SVG files distributed Ursnif malware in 2017 and were used to smuggle .zip archives…