Mastodawn

Mar 19, 2024

Cybercriminals are using #Scalable_Vector_Graphics (#SVG) files to deliver malware because SVG is an XML-based vector image format for two-dimensional graphics that supports interactivity and animation. SVG files can natively contain #JavaScript code, which can be executed by browsers when the SVG is loaded.
They do this by leveraging the #AutoSmuggle tool introduced in May 2022. This tool embeds malicious files into SVG/HTML content, bypassing security measures. Notably, SVG files were exploited to distribute #ransomware in 2015 and the #Ursnif malware in January 2017. A significant advancement occurred in 2022, with malware like #QakBot being delivered through SVG files containing embedded .zip archives. AutoSmuggle campaigns in December 2023 and January 2024 delivered the #XWorm #RAT and #Agent_Tesla #Keylogger, respectively, showcasing a shift towards embedding executable files directly within SVG files to evade detection by Secure Email Gateways (#SEGs). This evolution underscores the need for updated security measures to combat sophisticated malware delivery methods.
The misuse of SVG files for malware distribution dates back to 2015, with ransomware being one of the first to be delivered through this vector.
Original report: Cofense

SVG Files Abused in Emerging Campaigns | Cofense

Learn how threat actors are exploiting the use of SVG files for malware delivery and how to protect your organization from these emerging campaigns.

Cofense

D3Lab Oct 13, 2023

Campagne #Malware #Italy Week 41

🔥 Persistenti
#Ursnif: #AgenziaEntrate
#DarkGate: Resend link a ZIP
#AgentTesla: Pagamento

💣 D'eccezione
#RemcosRat: Pagamento
#Lokibot: Bank
#ScreenConnect: Fattura PDF

#mwitaly

D3Lab Oct 6, 2023

Campagne #Malware #Italy Week 40

🔥 Persistenti
#AgentTesla: Ordine d'acquisto
#Ursnif - #PureLogs: #AgenziaEntrate
#SpyNote: #APK Bancario

💣 D'eccezione
#PikaBot: Resend link ZIP

#mwitaly

D3Lab Sep 29, 2023

Campagne #Malware #Italy Week 39
☠️ Persistenti
#AgentTesla: Offerta
#Formbook: Fattura
#SpyNote: #APK Bank
#Ursnif: #AgenziaEntrate
💣 D'eccezione
#DarkGate - #IcedID: Resend link ZIP
#mwitaly

D3Lab Sep 22, 2023

Campagne #Malware #Italy Week 38

☠️💣🔥

#AgentTesla: Pagamento Bancario
#Brata - #SMSSpy: #APK Bank
#Ursnif: Pagamenti SMB
#AveMaria - #AsyncRAT: Ordine
#Formbook: Fornitura
#ScreenConnect: Pagamento
#BitRAT - #RemcosRat: Documento

#mwitaly

D3Lab Sep 15, 2023

Campagne #Malware #Italy Week 37

☠️ Persistenti
#AgentTesla: Pagamento Bancario
#Guloader: Registri

💣 D'eccezione
#IcedID: Documenti
#Vidar: Pagamenti via PEC
#Ursnif: Fattura
#BitRat: Documenti

#mwitaly

D3Lab Jul 14, 2023

Campagne #Malware #Italy Week 28 🔥

#AgentTesla: Proposta d'Ordine
#RemcosRAT: Pagamento
#Formbook: Banca
#Rhadamanthys: Sollecito
#Ursnif: Invoice
#Lokibot: Preventivo
#IcedID: Resend

#mwitaly #ioc

Bob Carver Mar 13, 2023

The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #CyberSecurity #GoogleAds #BATLOADER #malware #VidarStealer #Ursnif

BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads

Malware downloader BATLOADER has been found abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif.

The Hacker News

Tony Lambert Jan 24, 2023

New blog post! In this one I look at a #BATLoader MSI sample referenced by @malwrhunterteam which resulted in #Ursnif and #Redline execution. Some fun twists and turns in this. https://forensicitguy.github.io/batloader-ursnif-redline-oh-my/

#malware