Ancestors

Toot

Written by Fellows on 2025-01-21 at 19:14

If you’re not blocking SVG (Scalable Vector Graphic) attachments in email messages you might want to.

I have observed something I haven’t yet seen. Malicious email messages where the attachment the threat actor wants the target to open is a to SVG file pretending to be an agreement.

The SVG file when loaded makes a HTTP call to load a remote image, it also contains a transparent layer which links to the malicious website.

Looks to be an attempt at evading detection.

[#]ThreatIntel

=> More informations about this toot | More toots from fellows@cyberplace.social

Descendants

Written by rtificial on 2025-01-21 at 20:11

@fellows is this the svg xss payload?

=> More informations about this toot | More toots from rtificial@infosec.exchange

Written by Fellows on 2025-01-21 at 20:25

@rtificial all that’s in the SVG file is a height and width tag, image tag pointing to the lure image, and an a click tag pointing to the malicious website. There was no scripting in the file.

=> More informations about this toot | More toots from fellows@cyberplace.social

Written by Martin Owens :inkscape: on 2025-01-22 at 05:31

@fellows @rtificial

Height and width attributes, image tag with a external href with what I guess is an anchor tag. But could also be an onclick js attribute.

Email programs shouldn't be loading SVG as web documents, but as images. There's a standard pattern for how to do that.

=> More informations about this toot | More toots from doctormo@floss.social

Written by dritsec on 2025-01-21 at 20:19

@fellows It's not completely new. #bleepingcomputer covered this mechanism in November already.

Send E-Mails with SVG Attachment to Quarantine in your Mailgateway.

https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/

=> More informations about this toot | More toots from dritsec@social.tchncs.de

Written by Kevin Karhan :verified: on 2025-01-21 at 21:49

@fellows At least make SVGs not render but require them to be saved to disk.

=> More informations about this toot | More toots from kkarhan@infosec.space

Written by Maarten Pelgrim on 2025-01-21 at 22:16

@fellows Interesting. Never seen it, but will keep an eye out now.

=> More informations about this toot | More toots from maartenpelgrim@mastodon.nl

Written by da_667 on 2025-01-22 at 00:43

@fellows sounds familiar. there was a somewhat recent roundcube XSS vuln that took advantage of SVG tags in HTML e-mails (Roundcube rcube_washtml.php SVG Cross-Site Scripting (CVE-2023-5631)). I almost never see legit use cases for SVG and TIFF outside of niche professions.

=> More informations about this toot | More toots from da_667@infosec.exchange

Written by DB Schwein on 2025-01-22 at 01:45

@da_667 @fellows

I don't know how niche it is, but almost anyone using any sort of CAD machine, whether it's lasers, CNCs, or other things like that - SVGs are bread and butter. There are a lot of proprietary file types, but SVGs are cross compatible ☹️

=> More informations about this toot | More toots from deirdrebeth@mas.to

Written by Martin Owens :inkscape: on 2025-01-22 at 05:38

@da_667 @fellows @dritsec @kkarhan

See, this is why we can't have nice things. Blocking, filtering and requiring extra steps just because a file is an svg is overkill and unnecessary. (Unless you have reason to mistrust your email clients).

There's libraries that correctly isolate the image portions of svg so they are rendered as images, not as web documents. See librsvg.

My Bias: Every time people have an allergic reaction to svg, vector images become less available and useful to the public.

=> More informations about this toot | More toots from doctormo@floss.social

Written by da_667 on 2025-01-22 at 05:49

@doctormo @fellows @dritsec @kkarhan dude I understand your point of view, believe me, vector images are great, but then someone said "yeah, sure, let's let SVG tags run javascript onEvents." and that never fucking changed. Its why we're having this conversation today in the first place.

You're telling me about being able to trust the mail client or the web browser, or webapp, well... everyone trusts their mail client or the web portal until there's an advisory with the software's name on it.

Vector images are a great hill to die on, but fuck SVG.

=> More informations about this toot | More toots from da_667@infosec.exchange

Written by Martin Owens :inkscape: on 2025-01-22 at 06:24

@da_667

Javascript isn't required in svg.

=> More informations about this toot | More toots from doctormo@floss.social

Written by Fellows on 2025-01-22 at 05:54

@doctormo @da_667 @dritsec @kkarhan Completely depends on your use case within your org. You personally might feel it’s overkill, others might say, if the format isn’t being supported internally, there’s no reason to let it in.

Not a matter of mistrusting email clients, more about sparing users from making bad judgement calls.

We can’t have nice things because we have folks with malicious intensions, who take seemingly benign files and turn them into something the developer had not intended.

=> More informations about this toot | More toots from fellows@cyberplace.social

Written by DB Schwein on 2025-01-22 at 01:30

@fellows

JFC

As a person who works in SVGs, and exchanges then regularly this is an issue.

=> More informations about this toot | More toots from deirdrebeth@mas.to

Written by I am Jack's Lost 404 on 2025-01-22 at 03:02

@fellows

But... Does it scale???

<I'll show myself out :catgooglyfingerguns: 🚪 >

=> More informations about this toot | More toots from float13@hackers.town

Written by Albirew on 2025-01-22 at 21:11

@fellows@cyberplace.social on a more "classic" way, it can also be used for tracking purposes...

=> More informations about this toot | More toots from Albirew@soshar.dess.ga