Deceptive Yet Detected: NACE Exposes SVG-Attachment Based Phishing Campaign

Quick Read:

• Phishing Strategy: Threat actors are leveraging SVG files embedded with JavaScript to bypass email security technologies and deliver phishing payloads directly to inboxes.
• Objective: The campaign is designed to steal corporate credentials, particularly targeting employees in financial institutions. The use of SVG files allows attackers to evade traditional email security measures and deliver malicious content seamlessly.
• Tactics Observed:
  
  • Office 365 Anti-Phishing Bypass: The phishing emails successfully bypassed SPF, DKIM, and DMARC checks, making them appear legitimate to email security systems.
  • Attachment Tactics:
    • SVG Files: The emails contain .SVG attachments, which are less commonly scanned by email security tools. These files execute JavaScript when opened, redirecting victims to dynamically generated phishing URLs.
    • Dynamic Phishing Links: Clicking the SVG redirects users to a phishing page designed to steal credentials.
  • Cloudflare CAPTCHA: The phishing pages are protected by Cloudflare CAPTCHA, which obstructs automated analysis and bypasses domain reputation technologies. This extends the campaign’s lifespan by making it harder for security tools to detect and block the malicious domain.
• Low Detection Rates
  
  • The SVG attachment evaded detection by all 64 antivirus engines on VirusTotal
  • The final phishing domain was detected by 0 out of 96 AV engines, highlighting the effectiveness of the evasion techniques.
• Deployment: NACE^TM deployed behind Microsoft 365 Security

Attack Breakdown

Email phishing campaigns continue to evolve, with attackers leveraging innovative methods to evade detection. One such recent tactic involves using SVG (Scalable Vector Graphics) files as phishing vectors. Unlike traditional attachments, SVG files are lightweight, text-based, and often considered benign, making them an effective medium for obfuscating malicious payloads.

In this blog, we analyse a real-world phishing attempt that employed an SVG attachment to trick recipients into compromising their credentials. We also showcase how InceptionCyber's NACE (Neural Analysis and Correlation Engine) successfully detected this sophisticated threat.

The SVG Attachment

The code is embedded within an SVG (<svg>) element, which is typically used for vector graphics. However, in this case, the SVG is being abused to host malicious JavaScript code. This is a common technique to evade detection, as security tools might not scrutinize SVG files as closely as HTML or JavaScript files.

Decoding Process and Phishing Redirection

The link leads to a phishing page behind a CloudFlare captcha gate. When a user checks the box to prove they’re human, they are actually redirected to a page operated by the phishing gang that frames a real MicrosoftOnline login dialog within itself, so it can validate the email and password at the same time as stealing it.

Some of the variants showed a fake voicemail screen after the captcha. When a user clicks on the play button, the page asks for their Microsoft account credentials.

Phishing Kit Page Analysis

MalSpam actors are increasingly adopting anti-debugging techniques to obstruct analysis and detection of their malicious payloads. These techniques are specifically designed to prevent security researchers and automated tools from reverse-engineering or monitoring their activities.

Anti-Automated tools, Anti-Debugger code

By leveraging these methods, MalSpam campaigns aim to prolong the lifespan of their phishing links, malware downloads, and other malicious content by delaying detection and analysis.

An interesting discovery in the code shows that if a debugger is attached to the browser, the user is redirected to an intermediate page that ultimately leads to a Rakuten shopping page instead of the intended phishing site.

Attachment Details

The SVG file attachments are phishing redirectors that use obfuscation to hide their malicious intent. Even basic obfuscation like hiding a base64-blob inside SVG is enough to evade legacy detection engines.

The attachments on all variants successfully evaded detections from all major Anti-Virus engines. VirusTotal shows most of them have no detections (0/61) or just one detection (1/61). 

This shows how easy it is to evade static and behavioural based detections.

Phishing Domains Details:

In all variants, the phishing kit pages were hosted on newly registered domains. Almost all domains were registered the week prior to the attack.  As these domains are new and were encoded in svg, most of them have no detections (0/94) or one detection (1/94) on VirusTotal.

One variant redirected to a Russian hosted domain created 2 months ago and still had only 7/94 hits on VirusTotal.

Evasions Employed by the Code

The script is embedded within an SVG file, which is less likely to be scrutinized by security tools compared to traditional HTML or JavaScript files. The use of try-catch blocks helps the script fail silently, avoiding detection by tools that monitor for errors.

Obfuscation: The use of Base64 encoding, string manipulation, and random comments makes the code difficult to analyze statically. The decoding process is intentionally convoluted to evade signature-based detection.

Dynamic URL creation: The use of a hardcoded, obfuscated string allows the attackers to easily change the payload by updating the encoded string without modifying the rest of the code. Creating a dynamic URL helps it avoid detection via static analysis.

Phishing Redirection: The primary goal of the script is to redirect the victim to a URL. 

NACE^TM Detection Features:

InceptionCyber's AI-powered detection engine successfully blocked this attack campaign. Key features which aided to classify the attachments as malicious without needing a malicious payload are:

• Voicemail Notification Subject: The message had a voicemail retrieval prompt to entice engagement with the links.
• Voicemail Notification Attachment Name: The attachment name denoted that it is a voicemail file.
• Embedded Script in SVG: The attached SVG file contained script code.

The contextual relationship between voicemail semantics and features of SVG files aided to classify the attachment as malicious without needing the final landing URL.

Conclusion

This case highlights how cybercriminals are constantly adapting their phishing techniques to bypass traditional security measures. The use of SVG attachments represents an advanced method of deception, leveraging obfuscated links and social engineering tactics.

Traditional technologies like signature-based detection, sandboxing, and machine learning/deep learning rely on examining malicious payloads, which often remain hidden during analysis due to evasion techniques. This allows multi-stage, evasive, AI or threat actor generated malicious attachments and call-to-action URLs to reach endpoints. 

Inception Cyber is transforming threat protection with Intent AI.  Our NACE^TM platform employs patent-pending  advanced semantic and thematic analysis to comprehend intent, and leverages the contextual relationships between intent, SMTP headers, and auxiliary features to classify URLs and attachments as malicious or benign. This advancement moves far beyond traditional reliance on malicious indicators generated by threat actors or AI, to stop the evasive threats that other technologies simply can’t identify.

Stay vigilant, stay secure.

IOC