Cybercriminals Use SVG Files to Spread Ransomware - AppRiver

SCMagazine.com reported on 22nd May, 2015 stating that security researchers of security firm AppRiver have observed attackers spreading phishing emails with an attachment of SVG files and these files, if downloaded and executed, open up websites downloading what seems to be CryptoWall ransomware.

SCMagazine.com published news on 22nd May, 2015 quoting Jon French, Security Analyst of AppRiver, as saying " We have observed thousands of phishing emails - one was sent from a Yahoo address and claimed to contain a resume - being sent to law offices, small stores, IT businesses, schools and more."

French indicated that more than once interaction is required by the user to get infected.

First, a user must download the ZIP attachment in the phishing email containing the SVG file. When the user opens the SVG file, a small JavaScript entry will cause their browser to open a website leading to downloading of another ZIP file containing the payload which must be executed manually.

French said that he found this attack a unique one as he has never seen before SVG files being used this way.

SVG (Scalable Vector Graphics) is based on an XML vector image format for two-dimensional graphics and got support for animation and interactivity with definitions of images and their behavior of XML files.

Experts noted that there is an exciting feature of it which is the malicious executable served in this attack containing hardcoded SQL commands which seem to target database of a school.

AppRiver said that as some of the organisations like schools were secured against this attack and it may be possible that someone having knowledge of SQL naming conventions used for databases at schools might try to harm with commands of INSERT and DELETE.

However, researchers also said that SQL commands might be included just to make analysis of the malware more time consuming and complex.

Crypto ransomware has proved several times that it makes attackers more effective in receiving ransom amount from users.

The ploy is still alive and may continue to evolve. Researchers of AppRiver concluded that in view of prevailing attacks, it is a good idea to have a backup of data which cannot be potentially reached by the malware.

» SPAMfighter News - 6/1/2015