Bad guys are getting quite creative trying to evade spam filters and antivirus scanners. Last week, we have observed an influx of spam campaign targeting a Japanese audience.
Translated to English:
Subject: Photo
We always appreciate your regards. (This is a business greeting in Japanese)
Thank you for sending photos.
The spam contains a small zip file attachment and inside it is a SVG file.
Scalable Vector Graphics or SVG is a vector graphic image file defined using XML-based format. These image files are natively supported and can be viewed from web browsers such as Internet Explorer, Chrome or Firefox. Like HTML, SVG images can be represented using the Document Object Model (DOM) and can be controlled using JavaScript. Yes, you heard that right, JavaScript and this is exactly how bad guys exploit this file format. By injecting malicious JavaScript code into the file, they can redirect the browser to a malicious website.
The image below shows the inspection of the SVG file and the malicious JavaScript embedded in it.
De-obfuscating the JavaScript reveals the code that redirects the browser to download an executable.
The link was already down at the time the spam was received, but according to the folks at myonlinesecurity.co.uk it was an Urnif Baniking Trojan executable.
You may want to consider adding *.svg files to the list of suspect filetypes at your email gateway, either for quarantining or flagging. The Trustwave Secure Email Gateway has been updated to block this type of malicious spam attachment.