QBot malware phishing campaigns have adopted a new distribution method using SVG files to perform HTML smuggling that locally creates a malicious installer for Windows.
QBot is a Windows malware arriving via a phishing email that loads other payloads, including Cobalt Strike, Brute Ratel, and ransomware.
This technique enables the threat actors to bypass security tools and firewalls that monitor for malicious files at the perimeter.
Researchers at Cisco Talos observed a new QBot phishing campaign that starts with a stolen reply-chain email prompting the user to open an attached HTML file.
This attachment contains an HTML smuggling technique that uses a base64-encoded SVG (scalable vector graphics) image embedded in the HTML to hide the malicious code.
Unlike raster image types, such as JPG and PNG files, SVGs are XML-based vector images that can include HTML