QBot malware phishing campaigns have adopted a new distribution method using SVG files to perform HTML smuggling that locally creates a malicious installer for Windows.
QBot is a Windows malware arriving via a phishing email that loads other payloads, including Cobalt Strike, Brute Ratel, and ransomware.
This technique enables the threat actors to bypass security tools and firewalls that monitor for malicious files at the perimeter.
Researchers at Cisco Talos observed a new QBot phishing campaign that starts with a stolen reply-chain email prompting the user to open an attached HTML file.
This attachment contains an HTML smuggling technique that uses a base64-encoded SVG (scalable vector graphics) image embedded in the HTML to hide the malicious code.
Unlike raster image types, such as JPG and PNG files, SVGs are XML-based vector images that can include HTML <script> tags, which is a legitimate feature of that file format.
“Because the malware payload is constructed directly on the victim’s machine and isn’t transmitted over the network, this HTML smuggling technique can bypass detection by security devices designed to filter malicious content in transit.”
The downloaded archive is password-protected to evade scrutiny from AVs, but the HTML the victim opens contains the ZIP file’s password.
If opened, an ISO file is extracted on the victim’s machine that leads to a typical “ISO → LNK → CMD → DLL” infection or some variation of it.
It is assumed that using the SVG file to hide malicious code inside an HTML attachment helps further obfuscate the payload and increases the chances of evading detection
QBot recently exploited a Windows vulnerability that enabled its attachments to bypass Mark of the Web security warnings, but Microsoft fixed this yesterday with Microsoft’s December 2022 patch.