Trojans Embedded in .svg Files_SCHNEIER:EDD1F74BF10CFC7CA05E5D74E4029FB5

Description

Porn sites are hiding code in .svg files:

> Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of "JSFuck," a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text.
>
> Once decoded, the script causes the browser to download a chain of additional obfuscated JavaScript. The final payload, a known malicious script called Trojan.JS.Likejack, induces the browser to like a specified Facebook post as long as a user has their account open.
>
> "This Trojan, also written in Javascript, silently clicks a 'Like' button for a Facebook page without the user's knowledge or consent, in this case the adult posts we found above," Malwarebytes researcher Pieter Arntz wrote. "The user will have to be logged in on Facebook for this to work, but we know many people keep Facebook open for easy access."

This isn't a new trick. We've seen Trojaned .svg files before.

Visit Original Source

Basic Information

ID SCHNEIER:EDD1F74BF10CFC7CA05E5D74E4029FB5

Published Aug 15, 2025 at 11:07

Modified Aug 14, 2025 at 16:12

{
    "lastseen": "2025-08-15T12:04:56",
    "description": "Porn sites are hiding code in .svg files:\n\n> Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of \"JSFuck,\" a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text.\n> \n> Once decoded, the script causes the browser to download a chain of additional obfuscated JavaScript. The final payload, a known malicious script called Trojan.JS.Likejack, induces the browser to like a specified Facebook post as long as a user has their account open.\n> \n> \"This Trojan, also written in Javascript, silently clicks a 'Like' button for a Facebook page without the user's knowledge or consent, in this case the adult posts we found above,\" Malwarebytes researcher Pieter Arntz wrote. \"The user will have to be logged in on Facebook for this to work, but we know many people keep Facebook open for easy access.\"\n\nThis isn't a new trick. We've seen Trojaned .svg files before.",
    "published": "2025-08-15T11:07:51",
    "modified": "2025-08-14T16:12:47",
    "type": "schneier",
    "title": "Trojans Embedded in .svg Files",
    "source": "",
    "references": "",
    "id": "SCHNEIER:EDD1F74BF10CFC7CA05E5D74E4029FB5",
    "bulletinFamily": "blog",
    "cwe": null,
    "cvelist": [],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.schneier.com/blog/archives/2025/08/trojans-embedded-in-svg-files.html",
    "category_name": "News",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

💭 Join the Security Discussion ❌ Cancel Reply