Adult Websites Hiding Exploit Code in Inappropriate .svg Files

Obfuscated Code Found in SVG Files from Pornography Sites Triggers Malicious Attacks

Recent findings from cybersecurity firm Malwarebytes have revealed alarming vulnerabilities in the use of SVG file formats on various adult-themed websites. Researchers discovered that these sites were deploying obfuscated JavaScript within SVG files, which, when downloaded, initiate a series of malicious scripts resulting in significant security risks for users.

The obfuscated code, once extracted, directs browsers to download further layers of hidden JavaScript, culminating in the execution of a harmful payload known as Trojan.JS.Likejack. This malicious script surreptitiously activates the ‘Like’ button for specific Facebook posts, leveraging the victim’s authentication status on the platform without their knowledge or consent. Pieter Arntz, a researcher at Malwarebytes, emphasized that this exploitation hinges on the user being logged into Facebook, a scenario common for many users who keep their accounts open for convenience.

This incident underscores a broader concern regarding the misuse of the SVG format. Historical precedents exist, with attacks recorded as far back as 2023, where hackers utilized SVG tags to execute cross-site scripting (XSS) vulnerabilities. For example, pro-Russian hackers employed the format to compromise Roundcube, a server application serving over 1,000 webmail services. Moreover, researchers have previously documented phishing schemes manipulating SVG files to generate counterfeit login screens, thereby facilitating unauthorized access.

Malwarebytes has identified numerous adult websites operating on the WordPress content management system that utilize SVG files in this malicious manner to commandeer user interactions on social media. Facebook has been responsive to such abuses, frequently suspending accounts involved in similar activities, only for offenders to create new profiles in an ongoing cycle of violation.

From a cybersecurity perspective, this incident exemplifies tactics that could align with several stages identified in the MITRE ATT&CK framework. Initial access might be achieved through the user unwittingly downloading the SVG file, followed by persistence as the embedded scripts trigger repeated actions on Facebook. Privilege escalation tactics could also be at play if attackers gain enhanced capabilities via the user’s authenticated session.

Business owners should remain vigilant about such threats, particularly in understanding how seemingly innocuous file formats may harbor significant security vulnerabilities. The importance of robust cybersecurity practices becomes even more evident as adversaries develop increasingly sophisticated methods of exploiting user trust and application functionalities.

The implications of this attack extend beyond individual users, urging companies to evaluate their security protocols concerning third-party content integration. As digital environments become ever more interconnected, the ability to anticipate and mitigate such threats is paramount in safeguarding sensitive information and maintaining user trust in online platforms.

Source

Related Posts

Cybercriminals Leverage Excel Vulnerability to Distribute Fileless Remcos RAT Malware

Nov 11, 2024
Vulnerability / Network Security

Cybersecurity experts have uncovered a new phishing campaign that disseminates a fileless variant of the well-known Remcos RAT malware. According to Fortinet FortiGuard Labs researcher Xiaopeng Zhang, “Remcos RAT offers a comprehensive suite of advanced features for remotely controlling computers purchased by buyers.” However, cybercriminals have exploited Remcos to gather sensitive information and execute further malicious actions on victims’ systems.

The attack typically begins with a phishing email that employs purchase order themes to entice recipients into opening a malicious Microsoft Excel attachment. This Excel document exploits a known remote code execution vulnerability in Office (CVE-2017-0199, CVSS score: 7.8), allowing it to download an HTML Application (HTA) file (“cookienetbookinetcahce.hta”) from a remote server (“192.3.220[.]22”) and execute it using mshta.exe.

New GootLoader Campaign Targets Those Searching for Bengal Cat Regulations in Australia

Date: Nov 11, 2024
Category: Malware / SEO Poisoning

In a uniquely targeted effort, individuals looking for information on the legality of Bengal Cats in Australia are falling victim to the GootLoader malware. “We discovered GootLoader operators utilizing search inquiries regarding a specific cat breed and region to deliver malware: ‘Are Bengal Cats legal in Australia?'” noted Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher in a report released last week. GootLoader, as its name suggests, is a malware loader typically spread through search engine optimization (SEO) poisoning techniques for initial entry. The malware is triggered when users search for terms related to legal documents and agreements; this leads to compromised links that direct them to infected websites hosting a ZIP file containing a JavaScript payload. Once executed, it paves the way for further malicious software installation.