VirusTotal Discovers Concealed Malware in Phishing Campaigns Using SVG Files

VirusTotal has uncovered a phishing campaign that utilises SVG files to create convincing portals impersonating Colombia’s judicial system, ultimately delivering malware. This discovery was made possible after VirusTotal integrated support for SVGs into its AI Code Insight platform, which employs machine learning to analyse uploaded file samples and summarise any suspicious or malicious behaviour detected. Following this enhancement, VirusTotal identified an SVG file that had zero detections from antivirus scans, yet its AI-powered Code Insight feature revealed that it used JavaScript to display HTML, mimicking a portal for Colombia’s government judiciary system.

The campaign leverages SVG image files to render fake portals that exhibit a deceptive download progress bar, enticing users to download a password-protected zip archive, with the password displayed on the fraudulent portal page. The phishing site is designed to include case numbers, security tokens, and visual cues to establish trust, all crafted within the SVG file. BleepingComputer reported that the extracted contents of the archive included a legitimate executable from the Comodo Dragon web browser, renamed to appear as an official judicial document, alongside a malicious DLL and two encrypted files. If the user executes the legitimate-looking file, the malicious DLL is sideloaded, leading to further malware installation. After identifying the initial SVG, VirusTotal also found 523 previously uploaded SVG files linked to the same campaign that had evaded detection by security software. The addition of SVG support to AI Code Insights proved crucial in exposing this campaign, as VirusTotal noted that AI facilitates the identification of new malicious activities. 

Categories: Phishing Campaigns, Malware Delivery, SVG File Exploitation 

Tags: Phishing, SVG, Malware, VirusTotal, AI Code Insight, Colombia, Judicial System, JavaScript, Download, Security