Researchers observe SVG files being used to distribute ransomware

AppRiver observed thousands of phishing emails being sent to small stores, law offices, IT businesses, schools and more.
AppRiver observed thousands of phishing emails being sent to small stores, law offices, IT businesses, schools and more.

Researchers with AppRiver have observed attackers sending out phishing emails with SVG files attached – these files, when downloaded and executed, open up websites that download what appears to be CryptoWall ransomware.

AppRiver observed thousands of phishing emails – one was sent from a Yahoo address and claimed to include a resume – being sent to small stores, law offices, IT businesses, schools and more, Jon French, security analyst with AppRiver, told SCMagazine.com in a Thursday email correspondence.

In order for an infection to occur, user interaction is required more than once, French indicated.

First, a user must download the ZIP attachment in the phishing email, which contains the SVG file. When the user opens the SVG file, a small JavaScript entry will cause their browser to open to a website that leads to another ZIP file being downloaded. This file contains the payload, which must be manually executed.

French said he found the attack unique because he has never seen SVG files used this way before.

“The action taken, opening the browser to a link, is supported by the SVG format so they weren't really abusing what it's capable of, just using it in a malicious way,” French said, adding, “Most likely this was done using the SVG instead of an attached HTML file to throw off scanners.”

The ransomware demands $700 in Bitcoin to unlock encrypted files, and the ransom goes up to $1,400 if a payment is not made within 168 hours, French explained. The malware is believed to be CryptoWall because it creates certain files upon execution that are associated with the threat, a blog post said.

AppRiver noted in the post that SQL commands were hardcoded into the ransomware that appear to be related to a school's SQL database.

“It's possible the SQL commands were there to just distract,” French said. “With them being hardcoded commands, I'm leaning towards that or the code was possibly just reused from something else. If the attacker had built in a method to actually attack a SQL database, things like table names would probably not be plainly visible in the EXE.”

However, he continued, "to argue both sides, it's also possible there may need to be a very specific set of circumstances to be met for the executable to try and mangle a SQL database.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS