QBot malware phishing campaigns have adopted a new distribution method using SVG files to perform HTML smuggling that locally creates a malicious installer for Windows.
HTML smuggling has been around for some time. It’s a technique used by threat actors to hide encoded malicious script within an HTML email attachment or a webpage. Once the attachment is opened, the embedded JavaScript decodes the contents and assembles a malicious payload on the victim’s endpoint.
Security researchers at Cisco Talos have identified an attack method where part of the HTML attachment includes a scalable vector graphics (SVG) file - an XML-based file that describes two-dimensional based vector graphics. So rather than grabbing encoded text from the HTML file itself, the SVG file adds a twist to the attack that may be overlooked by some security solutions.
According to Cisco Talos, a recent campaign started with a BEC attack where an email chain was hijacked by a threat actor impersonating one of the participants. Their malicious reply asked recipients to open an attached HTML file. This detail alone brings two attacks to light – first a credential compromise attack necessary to gain access to and take over an email thread. And, second, the BEC attack using the compromised account to install QBot.
Both attacks use some form of social engineering to reach their malicious objectives. This makes it necessary for organizations to take advantage of Security Awareness Training to educate users on attacks like these, so recipients of an email being asked to open an HTML attachment will immediately set of red flags – regardless of who supposedly sent the email.
