SVG has all the makings of a great malware distribution medium, and crooks are bound to migrate to this new file format, now that Google has moved to ban .js email attachments.
SVG is an image file format that’s used to store scalable vector graphics (SVG) using XML syntax.
Gmail and most email providers will look inside these archives unless they’re password protected. When the .js ban kicks in on February 13 for Gmail’s services, most spammers will be forced to adapt, as they won’t be able to use .js files anymore.
Even better, by default, on Windows, SVG files will run in Internet Explorer, which is the perfect medium for executing malicious JS.
SVGs used in malware campaigns in the past
In the past year, we’ve already seen SVG files used for malware delivery. For example, at the end of November, a spam campaign on Facebook spread SVG images to users in France.
When users opened this image, they were redirected to a YouTube website clone that asked them to install a rogue Chrome extension, which stole their browser credentials. The true damage came after, when some users reported having their PCs infected with Locky ransomware.
A more recent campaign was observed just this past week, spotted by @dvk01uk, Trustwave, and SANS ISC.
Researchers found emails with ZIP attachments that contained SVG files instead of JS, which when executed would load a page in IE that tried to trick users into downloading an EXE file. This EXE would install the Ursnif banking trojan.
According to researchers, this email campaign with zipped SVG attachments targeted only Japanese users.