Threat Actors Utilize AI-Powered Code Insight to Evade Detection

VirusTotal has recently uncovered a sophisticated phishing campaign hidden within SVG files, which create convincing portals impersonating Colombia’s judicial system to deliver malware. The campaign was discovered after VirusTotal added support for SVG files to its AI Code Insight platform, which utilizes machine learning to analyze uploaded file samples and generate summaries of suspicious or malicious behavior.

VirusTotal, a well-known online service that allows users to analyze files and URLs for malware and other threats, has long been a go-to resource for security researchers and professionals. Its platform aggregates the results of more than 70 antivirus engines and URL scanners, providing users with a comprehensive overview of potential threats. Recently, VirusTotal has been expanding its capabilities by integrating AI-powered tools such as AI Code Insight, which enhances its ability to detect malicious behavior in complex file formats like SVGs.

The campaign, which had evaded detection by antivirus scans, utilized JavaScript to display HTML and impersonate a portal for Colombia’s government judiciary system. SVG files are typically used to generate images of lines, shapes, and text through textual mathematical formulas, but threat actors have increasingly used them in attacks, as they can also be used to display HTML and execute JavaScript when the graphic is loaded.

In this campaign, SVG image files were used to render fake portals that display a phony download progress bar, prompting users to download a password-protected zip archive. The password for this file was displayed in the fake portal page, adding to the illusion of legitimacy. The phishing site included case numbers, security tokens, and visual cues to build trust, all crafted within an SVG file.

Upon extracting the file, researchers found that it contained a legitimate executable from the Comodo Dragon web browser, renamed to be an official judicial document, a malicious DLL, and two encrypted files. If the user opened the executable, the malicious DLL would be sideloaded to install further malware on the system.

VirusTotal identified 523 previously uploaded SVG files that were part of the same campaign but had evaded detection by security software. The addition of SVG support to AI Code Insights was crucial in exposing this particular campaign, as VirusTotal noted that the use of AI makes it easier to identify new malicious campaigns.

“This is where Code Insight helps most: giving context, saving time, and helping focus on what really matters,” concludes VirusTotal. “It’s not magic, and it won’t replace expert analysis, but it’s one more tool to cut through the noise and get to the point faster.”