- Pirates use AI tools to hide the phishing code in SVG files disguised as corporate graphics
- The malicious SVGs have encoded useful loads using commercial terms, decoded by hidden scripts to steal data
- Microsoft attributes complex obscure to the code generated by AI, not the typical manware of man
We have all heard that Gen Ai was used to make convincing phishing email bodies, but Microsoft researchers have now discovered a campaign in which threat actors have made the use of AI in phishing a little further – to better hide from the malicious code.
In a report shared with Techradar ProMicrosoft said that he had observed a new phishing campaign from a compromise messaging account belonging to a small business. The technique was not extraordinary – the attackers returned the message to the compromise account and targeted the victims through the BCC field – a standard tactic to avoid being spotted.
E-mail itself shared a malicious file whose objective was to collect the identification information for people’s connection. It was an SVG file disguised as a PDF. Nothing unusual here too. SVG files are scalable vector graphics used for web images. Since they support the integrated scripts, they are usable for phishing, because the attackers can hide malicious javascript inside, bypassing the filters and inciting users to click on harmful links.
But then things become interesting.
Unique obscure method
After analyzing the SVG code, Microsoft noted that its obscure and behavior method is rather unique.
“Instead of using cryptographic obscure, which is commonly used to obscure the content of phishing, the SVG code of this campaign used a language related to the company to disguise its malicious activity,” said the report.
It turns out that the attackers have hidden malware in SVG files by making them look like normal commercial tables.
The graphics were invisible, so anyone opening the file would only see virgin graphics.
They also coded the malicious code as a chain of commercial words like “income” and “shares”, and a hidden script will then read these words, decode them and transform them into actions such as browser redirection to a phishing site, user monitoring and browser information.
Essentially, the file seemed harmless, but it secretly executed a program that stole data and follow up on activity.
This had to be the work of an AI, added Microsoft: “Microsoft Security Copilot assessed that the code was” not something that a human generally writes from zero because of its complexity, its verbity and its lack of practical utility “. »»
