Threat Intel Digest

December 2019

Securing Your Avatar Images

Images and graphics can be rendered several ways in a browser. One common format is SVG (Scalable Vector Graphics), which is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.

Using a crafty manipulation of SVG images, an attacker can manipulate and insert malicious code within the svg tags. An SVG image can easily be edited using a regular text editor, and malicious scripts can easily be inserted to perform different attacks, such as cross-site scripting, HTML injection, XML entity processing (sometimes called a Billion Laugh Attacks), and denial-of-service attacks. Modern browsers can address and prevent some of the attacks, but a more determined attacker can find a way to circumvent the situation. A more direct approach is to sanitize any SVG image by restricting dangerous tags, restricting how resources are loaded, and preventing all conceivable ways a malicious script can be added.


Fumigating RevengeRAT and WSHRAT Infestations

RAT, also known as Remote Access Trojan, is a type of malware that can interactively control infected machines. A vast collection of RATs can also be used for a DDOS (Distributed Denial-Of-Service) attack to bring down a specific website or system.

Nowadays, malware doesn't attack by itself. It usually combines its attack with different malware. Some malware downloads other malware that it uses for several tasks, and other malware drops the necessary malware components. The main advantage of dropping malware from a packaged binary is to have all the components of the attack already available, even without internet connections. We have found a malware with a low detection rate. It drops RevengeRAT and WSHRAT. The first RAT is mostly used to gather information about the infected machine and send that information to its command-and-control server. The collected information sent to the server can be used for further attacks on the infected system. Meanwhile, WSHRAT contains codes and commands that can be used to connect interactively with the attacker. These kinds of combined capabilities give the malware author a chance to focus on a specific goal of a particular malware. One malware only needs to be packaged with other malware to gain the overall goal. However the packaging of malware offers an advantage to the defender. The defender only needs to detect one of the malware components to partially disable the functionality of the pack.