File smuggling is one of the common and known technique to deliver malwares. The core concept behind file smuggling is the covert delivery of malicious content by bypassing detection mechanisms or fooling the enterprise solutions. Historically, attackers relied more on straightforward techniques such as embedding malicious files within archives or hiding payloads in macros within the office documents. However, as enterprise solutions improved the file smuggling attacks got adapted leading to the rise of more sophisticated attack techniques.
In this talk we would be uncovering one of the most recent techniques against file smuggling using Scalable Vector Graphics (SVG) files. Initially, SVG files were seen as image files, and their flexibility in handling embedded content made them ideal for attackers for payload delivery. Early forms of SVG-based malware delivery involved the use of embedded URLs that triggered the download of malicious content when the SVG file was opened to a browser. Over time, attackers refined this approach by embedding entire payloads within the SVG files themselves, turning these images into fully functional carriers for malware delivery.
In May 2022, I contributed to a project AutoSmuggle emerged as a tool designed to simplify the process of embedding malicious files into SVG. While AutoSmuggle streamlined the smuggling process my own innovation introduced a new sophisticated variant of SVG smuggling, which was weaponized in recent malware campaigns. This new variant of SVG smuggling was used on high-profile campaigns during December 2023 and January 2024, to deliver XWorm RAT and Agent Tesla Keylogger. These campaigns demonstrated how a new variant of SVG smuggling could be used to target industries and regions globally.
