December 15, 2022

Talos security researchers have identified a new malicious campaign involving Qakbot attackers. The attackers use a relatively new technique with QBot malware phishing campaigns that uses Scalable Vector Graphics (SVG) images embedded in HTML email attachments.

Malicious payloads are delivered in the form of encoded strings in an HTML attachment or webpage. The malicious HTML code is generated within the browser on the target device, which is already inside the victim’s network’s security perimeter. When a victim opens the attachment in their browser after receiving the email, the embedded script decodes and runs, assembling a malicious payload directly on the victim’s device.

This attack is carried out via embedded SVG files containing JavaScript, which reassemble a Base64 encoded QBot malware installer, which is automatically downloaded via the target’s browser. The JavaScript smuggled inside the SVG image contains the entire malicious zip archive, and the malware is then assembled directly on the end user’s device by the JavaScript. This HTML smuggling technique can avoid detection by security devices designed to filter malicious content in transit because the malware payload is built directly on the victim’s machine and is not transmitted over the network.

The QBot malware, which is spread through phishing emails, is capable of hijacking a victim’s email and sending itself out as a reply to an existing email thread with an HTML attachment. When the recipient opens it, the attack is launched by the smuggled JavaScript code contained within the SVG image. The script generates a password-protected malicious zip archive and then prompts the user to save the file. The password can be found in the HTML attachment.

If the recipient enters the password provided by the attacker and opens the zip archive, an.ISO file can be extracted. The.iso file allows the Qakbot malware to infect the victim.

The sources for this piece include an article in BleepingComputer.