With the rise of malicious actors utilizing Scalable Vector Graphics (SVG) for stealthy code injection, the challenges for security researchers in identifying masked payloads embedded within these SVG files are escalating.
The SVG Security Analysis Toolkit, developed by HackingLZ, presents an all-encompassing remedy. This toolkit comprises four Python-centric tools meticulously crafted to unveil concealed scripts, decode obscured URLs, and validate shielding mechanisms, while ensuring that analysts remain untouched by perilous execution environments.
Static and Dynamic Deobfuscation
The toolkit’s initial components, extract.py and extract_dynamic.py, collaborate effectively to reveal malevolent scripts through various analytical approaches:
extract.py serves as a static SVG URL Extractor, executing pattern-based examination without the need to run any code. This tool autonomously identifies and decodes XOR-encrypted payloads through String. From CharCode patterns, along with Base64-encoded URLs derived from data: URIs, utilizing character arithmetic involving parseInt and XOR iterations.
Its versatility is evident in its usage examples: extract_dynamic.py functions as a dynamic JavaScript executor, employing box-js, to safely run embedded JavaScript within a controlled sandbox environment, adeptly capturing final URL constructions. Noteworthy features include:
- An advanced Hook System to monitor location.assign(), window.open(), and AJAX interactions.
- Final URL Prioritization, effectively distinguishing whole URLs from mere fragments.
- ActiveX/WScript Support for overseeing Windows-centric scripts
Protection Detection
To finalize the analytical workflow, the toolkit incorporates cf_probe.py and encoder.py. The cf_probe.py functions as a Cloudflare Protection Detection tool, scrutinizing HTTP and meta-refresh redirects for Cloudflare challenges.
This utility identifies Turnstile through data-sitekey attributes, inspects associated JavaScript for reCAPTCHA or custom CAPTCHA systems, and reports on CF headers such as CF-Ray and DDoS defense messages.
In conjunction, encoder.py acts as an SVG Test Case Generator, allowing security teams to create realistic obfuscated SVG samples for validation of their detection frameworks.
- It accommodates six obfuscation patterns, encompassing XOR + ES6 Proxy.
- Hex-encoded Function Constructor and Data URI scripts.
HackingLZ advocates the following analytical sequence for optimal coverage and security:
- Generate Test Cases: encoder.py –random-all -o test_cases/
- Static Analysis: python3 extract.py -i test_cases/*.svg -v
- Dynamic Analysis: python3 extract_dynamic.py -i test_cases/ -o dynamic_results/
- Protection Verification: python3 cf_probe.py -i malicious_urls.txt
By integrating static string decoding, sandboxed script execution, protective verification, and orchestrated test data generation, the SVG Security Analysis Toolkit empowers defenders to outpace elusive SVG-based phishing and malware ventures.
Source link: Cybersecuritynews.com.
