
AI Code Insight Unmasks Hidden Colombian SVG Malware Lure
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1027.017 Obfuscated Files or Information: SVG Smuggling
ID | Data Source | Data Component | Detects |
Monitor for newly constructed files via JavaScript. Developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by SVG Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. SVG Smuggling is often chained:
Analytic 1 - Detect malicious use of SVG files embedded with script tags to assemble, download, or redirect to payloads. index= (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="linux_audit" OR sourcetype="osquery")(file_name=".svg" OR file_path="\Downloads\.svg" OR file_path="/tmp/.svg" OR file_path="/Users//Downloads/.svg")| join type=inner file_path [ search index= process_name IN ("powershell.exe", "wscript.exe", "cmd.exe", "mshta.exe", "bash", "curl", "wget") | stats min(_time) as proc_time by file_path, process_name, host]| eval time_diff=proc_time - _time| where time_diff >= 0 AND time_diff < 120| table _time, host, user, file_path, file_name, process_name, command_line, time_diff| sort _time Analytic 2 - Suspicious JavaScript or Obfuscation in SVG file_name=".svg"| rex field=_raw ""| search js_payload="eval" OR js_payload="atob" OR js_payload="window.location" OR js_payload="document.write"| table _time, file_name, js_payload |