QBot Malware Attacks Use SVG files to Perform HTML Smuggling

QBot Malware Attacks Use SVG files to Perform HTML SmugglingQBot malware phishing campaigns have adopted a new distribution method using SVG files to perform HTML smuggling that locally creates a malicious installer for Windows.

HTML smuggling has been around for some time. It’s a technique used by threat actors to hide encoded malicious script within an HTML email attachment or a webpage. Once the attachment is opened, the embedded JavaScript decodes the contents and assembles a malicious payload on the victim’s endpoint.

Security researchers at Cisco Talos have identified an attack method where part of the HTML attachment includes a scalable vector graphics (SVG) file - an XML-based file that describes two-dimensional based vector graphics. So rather than grabbing encoded text from the HTML file itself, the SVG file adds a twist to the attack that may be overlooked by some security solutions.

According to Cisco Talos, a recent campaign started with a BEC attack where an email chain was hijacked by a threat actor impersonating one of the participants. Their malicious reply asked recipients to open an attached HTML file. This detail alone brings two attacks to light – first a credential compromise attack necessary to gain access to and take over an email thread. And, second, the BEC attack using the compromised account to install QBot.

Both attacks use some form of social engineering to reach their malicious objectives. This makes it necessary for organizations to take advantage of Security Awareness Training to educate users on attacks like these, so recipients of an email being asked to open an HTML attachment will immediately set of red flags – regardless of who supposedly sent the email.

The world's largest library of security awareness training content is now just a click away!

In your fight against phishing and social engineering you can now deploy the best-in-class simulated phishing platform combined with the world's largest library of security awareness training content; including 1000+ interactive modules, videos, games, posters and newsletters.

You can now get access to our new ModStore Preview Portal to see our full library of security awareness content; you can browse, search by title, category, language or content topics.

ModStore01-1The ModStore Preview includes:

  • Interactive training modules
  • Videos
  • Trivia Games
  • Posters and Artwork
  • Newsletters and more!

Start Your Preview

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews