New Email Phishing Attack: Hackers Hide Malware in Blank SVG Image via DocuSign HTML Attachment

Researchers at Avanan, A Check Point Company, have revealed its latest research analyzing how hackers hide malicious content inside “blank images,” creating automatic redirects that bypass anti-malware checks. 

  • This technique adds a layer of sophistication to malicious HTML attachments with the <meta> tag, obfuscating the URL to evade link analysis and redirect to a compromised domain. 
  • This email campaign starts with what appears to be a document from DocuSign, requesting the user to review and sign the document. 
  • The document provides an HTM attachment containing an empty SVG image; clicking on the image within the document automatically redirects visitors to a malicious URL.

Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan had this comment:

“Hackers can target practically anyone with this technique. Like most attacks, the idea is to use it to get something from the end-user. Any user with access to credentials or money is a viable target. HTM attachments aren’t new, nor are using Base64 trickery. What is new and unique is using an empty image with active content inside–a javascript image–which redirects to a malicious URL. It’s essentially using a dangerous image, with active content inside that traditional services like VirusTotal don’t detect.” 

You can read the full report here. It also has defence strategies in the report that you will find useful as well.

Leave a Reply

%d bloggers like this: