There is an increase in SVG attachments used in phishing emails (Scalable Vector Graphics, an XML-based vector image format).
I took a look at the some samples mentioned in the Bleeping Computer article, and searched more samples on VirusTotal.
These samples contain HTML & JavaScript code to display a blurry Excel PNG image, and a phishing form asking for credentials. Like this one:
It contains 3 PNG files as data URIs, which can easily be extracted with base64dump.py:
You have the blurry Excel PNG:
An Excel logo:
And a Microsoft logo:
I made some small changes to the sample, so that it would display an example.com email address, instead of a real victim’s address that I would have to redact. The email address is hardcoded in BASE64 in the SVG file.
Here I made another example, using a SANS email address:
Do you see a difference, besides the SANS email address?
The SANS logo appears in the form!
Where did that logo come from, it’s not embedded in the SVG file!
That logo is retrieved using a web service: logo[.]clearbit[.com].
As an example, here is the retrieval of the Wikipedia logo:
Here are the URLs in this SVG file:
There’s JavaScript code inside this SVG file to make a web request and display the appropriate logo (or the embedded Microsoft logo, if the service doesn’t provide a logo).
And the last URL you see in this screenshot, is where the form data will be posted (the phished credentials).
That one is the most prevalent in the samples I got from VirusTotal, but there are some other ones:
And I have one sample with heavily obfuscated JavaScript, without cleartext URLs. I’ll keep that one for another diary entry …
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.