Attackers peddle malware via blank email images


Threat actors try scamming users out of their assets, hiding malicious URLs in empty image files, and bypassing antivirus defenses.

Attackers discovered a way to bypass antivirus services like VirusTotal, implanting malware in “blank images” on emails, researchers at Avanan, a Check Point Software company, have discovered.

“Hackers can target practically anyone with this technique. Like most attacks, the idea is to use it to get something from the end-user. Any user with access to credentials or money is a viable target,” Jeremy Fuchs, a cybersecurity researcher at Avanan, told Cybernews.

ADVERTISEMENT

As with most phishing attacks, threat actors target victims via email. The campaign presents potential victims with a fraudulent document supposedly originating from DocuSign, an electronic agreements management service.

“Hackers can target practically anyone with this technique. Like most attacks, the idea is to use it to get something from the end-user. Any user with access to credentials or money is a viable target.”

Fuchs told Cybernews.

Targeted users are asked to review and sign the document. Interestingly, unlike other phishing campaigns, the link takes users to a legitimate DocuSign page.

That way, attackers trick the victim into trusting the overall email. However, the real danger lurks in the HTM attachment sent together with the DocuSign link.

According to the researchers, the attachment contains an SVG image encoded using Base64, a binary-to-text encoding scheme. While the image is empty, the file still contains active content, a Javascript redirecting to the malicious URL.

“What is new and unique is using an empty image with active content inside--a javascript image--which redirects to a malicious URL. It’s essentially using a dangerous image, with active content inside that traditional services like VirusTotal don’t detect,” Fuchs explained.

In essence, the attackers coax users into trusting the fraudulent email, which leads some of the victims to trust the attachment. However, clicking the attachment leads to a malicious site where scammers start casting their nets.

ADVERTISEMENT

Researchers note that the attack is particularly crafty since, by layering obfuscation upon obfuscation, most security services are helpless against this attack.

To avoid falling victim to such attacks, users are advised to be cautious of any email that contains HTML or .htm attachments. At the same time, security administrators might consider blocking all HTML attachments.