One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8617800 |
| Date de publication | 2024-11-25 22:13:05 (vue: 2024-11-25 23:12:22) |
| Titre | Warning Against Malware in SVG Format Distributed via Phishing Emails |
| Texte | ## Snapshot Researchers at AhnLab Security Intelligence Center (ASEC) have identified a campaign where malware is being distributed through Scalable Vector Graphics (SVG) files. ## Description These SVG files are being used as attachments in phishing emails, with instructions in the email body on how to execute the file. The SVG malware comes in two types: a downloader type that deceives users into downloading a PDF file, and a phishing type that prompts users to enter account credentials to view an Excel document. The downloader type contains hyperlinks within image content elements that lead to additional malware hosted on legitimate services like Dropbox and Bitbucket. The malware downloaded is a password-protected compressed file containing [AsyncRat](https://security.microsoft.com/intel-profiles/e9216610feb409dfb620b28e510f2ae2582439dfc7c7e265815ff1a776016776), which is capable of stealing information and creating a backdoor. The phishing type uses obfuscated JavaScript within the SVG to encode and transmit the victim\'s account information to the attacker\'s server. This technique of embedding malicious code within image content elements makes it challenging for users to recognize the SVG file as harmful. The increase in the use of various file formats for malware distribution, including SVG, highlights the need for caution when opening email attachments from unknown sources, especially those in SVG format. ## Microsoft Analysis and Additional OSINT Context AsyncRAT is a .NET-based remote access trojan (RAT) that enables attackers to remotely control infected Windows systems, conducting malicious activities such as keylogging, file theft, screenshot capture, and even ransomware deployment. Leveraging asynchronous programming, AsyncRAT can execute multiple tasks simultaneously in the background without affecting the system\'s performance, making it stealthy and efficient. To evade detection, AsyncRAT employs obfuscation, encrypts its traffic, disables security features like Windows Defender, and uses dynamic DNS to mask its C2 server\'s location. Active since at least 2019, it is frequently used to target industries such as finance, healthcare, government, and education. AsyncRAT\'s versatility and ability to evade detection make it a persistent threat in the cyber landscape. Researchers at G DATA Security Lab, identified a similar campaign in which attackers [distributed AsyncRAT through Bitbucket.](https://security.microsoft.com/intel-explorer/articles/8e774461) In this campaign, a VBS file contained a hidden code that executed a PowerShell command which retrieves AsyncRAT from a Bitbucket repository. [Other legitimate tools, such as TryCloudflare tunnel infrastructure, have been used to execute the AsyncRAT payload.](https://security.microsoft.com/intel-explorer/articles/bf7946e8) Threat actors are increasingly using legitimate file hosting services like SharePoint, OneDrive, and Dropbox for identity phishing and business email compromise (BEC) attacks. These campaigns involve sophisticated social engineering and defense evasion tactics, such as files with restricted access and view-only restrictions, making detection difficult. Typically, the attack begins with compromising a trusted vendor and sharing malicious files that appear legitimate, often requiring re-authentication and leading to identity compromise. Techniques like restricted access files, view-only mode, and time-limited access hinder traditional security measures. Find out more about this tact by reading Microsoft\'s blog: [File hosting services misused for identity phishing](https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/?msockid=029395c08bc2665b315481458a11673b). ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your an |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2019 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 ability about access accessed account action active activities actors additional af74 affecting against age ahn ahnlab alert alerts all allow analysis antivirus any appear are artifacts asec asynchronous asyncrat asyncrat: attachments attack attacker attackers attacks authentication authority automated backdoor backdoor:msil/asyncrat backdoor:win32/asyncrat background based bec been begins behind being bit bitbucket block blog: body breach breaches bucket: business campaign campaigns can capable capture caution center challenging changes client cloud code com/en com/en/84720/ com/intel com/microsoft com/threatanalytics3/9382203e comes command common components compressed compromise compromising conducting configure contained containing contains content context control controlled copyright cover creating credential credentials criterion customers cyber data deceives defend defender defense delivered deploy deployment description detect detected detection detections/hunting detects difficult disables distributed distribution dns document does downloaded downloader downloading dropbox dynamic edr education efficient elements email emails embedding employs enable enabled enables encode encrypts encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engineering ensure enter equivalent especially evade evasion even evolving excel executable execute executed explorer/articles/8e774461 explorer/articles/bf7946e8 features file files finance find folder folders follow following following format formats frequently from full government graphics hardening harmful have healthcare hidden highlights hinder hosted hosting how https://asec https://learn https://security https://www hyperlinks identified identity image immediate impact including increase increasingly industries infected information infrastructure instructions intelligence investigation investigations involve its javascript keylogging lab labs landscape lead leading learndoc learning least legitimate leveraging like limited list local location lsa lsass machine majority make makes making malicious malware malware: manage mask measures meet microsoft misused mitigations mode more msockid=029395c08bc2665b315481458a11673b msr multiple name=backdoor:msil/asyncrat name=backdoor:win32/asyncrat name=trojan:html/phish name=trojan:msil/asyncrat name=trojan:vba/asyncrat name=trojan:vbs/asyncrat name=trojan:xml/asyncrat name=trojandownloader:vbs/asyncrat need net network new non not obfuscated obfuscation ocid=magicti often onedrive only opening osint other out overview part passive password payload pdf performance permission persistent phishing phishing/ post powershell preferences premises prevalence prevent product profiles/e9216610feb409dfb620b28e510f2ae2582439dfc7c7e265815ff1a776016776 programming prohibited prompts protected protection protection#how protections python queries ransomware rapidly rat reading recognize recommendations recommends reduce reducing reduction reference#block references remediate remediation remote remotely repository reproduction requiring researchers reserved resolve restricted restrictions retrieves rights rule rules run running scalable scenes screenshot security server services settings sharepoint sharing significantly similar simultaneously since site snapshot social sophisticated sources stealing stealthy subsystem such surface svg system systems tact tactics take tamper target tasks technique techniques theft thereof these those threat threats through time tools traditional traffic transmit trojan trojan:html/phish trojan:msil/asyncrat trojan:vba/asyncrat trojan:vbs/asyncrat trojan:xml/asyncrat trojandownloader:vbs/asyncrat trusted trycloudflare tunnel turn tweaking two type types: typically unknown unless unveiling us/defender us/security/blog/2024/10/08/file us/wdsi/threats/malware use used users uses using various vbs vector vendor versatility victim view view=o365 volume warning webmail w |
| Tags | Ransomware Malware Tool Threat Medical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.