QBot malware phishing campaigns have adopted a new distribution method using SVG files to perform HTML smuggling that locally creates a malicious installer for Windows.
This attack is made through embedded SVG files containing JavaScript that reassemble a Base64 encoded QBot malware installer that is automatically downloaded through the target’s browser.
QBot is a Windows malware arriving via a phishing email that loads other payloads, including Cobalt Strike, Brute Ratel, and ransomware.
SVG-based smuggling
HTML smuggling is a technique used to “smuggle” encoded JavaScript payloads inside an HTML attachment or a website.
When the HTML document is opened, it will decode the JavaScript and execute it, allowing the script to locally perform malicious behavior, including creating malware executables.
This technique enables the threat actors to bypass security tools and firewalls that monitor for malicious files at the perimeter.
Researchers at Cisco Talos observed a new QBot phishing campaign that starts with a stolen reply-chain email prompting the user to open an attached HTML file.
This attachment contains an HTML smuggling technique that uses a base64-encoded SVG (scalable vector graphics) image embedded in the HTML to hide the malicious code.
Unlike raster image types, such as JPG and PNG files, SVGs are XML-based vector images that can include HTML
