SVG Files Used by Attackers For Smuggling QBot Malware Onto Windows PCs

SVG Files Used by Attackers For Smuggling QBot Malware Onto Windows PCs

A novel distribution technique for QBot malware phishing campaigns uses SVG files to smuggle HTML and produce malicious Windows installation locally. This exploit uses embedded JavaScript-enabled SVG files to disassemble a Base64-encoded QBot malware installation that the target’s browser automatically downloads. A phishing email carrying the Windows malware QBot also loads other payloads, such as Cobalt Strike, Brute Ratel, and ransomware.

JavaScript payloads that have been encoded can be smuggled inside of an HTML attachment or webpage using the HTML smuggling technique. The JavaScript is decoded and run when the HTML file is opened, enabling the script to carry out destructive actions locally, such as producing malware executables. Threat actors can get through firewalls and security systems that keep an eye out for harmful files at the perimeter by using this strategy.

A new QBot phishing effort has been spotted by Cisco Talos researchers. It begins with a stolen reply chain email asking the recipient to view an attached HTML file. This file exploits HTML smuggling, concealing malicious code using a base64-encoded SVG (scalable vector graphics) image inserted in the HTML. Unlike raster image types, like PNG and JPG files, SVGs are XML-based vector images that can involve HTML <script> tags, which is a legitimate feature of that file format.

The image is shown, and JavaScript is run when an HTML page loads an SVG file using the embed or <iframe> tags. Cisco’s experts analyzed the JavaScript code contained in the SVG blob. They discovered a function that turns the embedded JS variable “text” into a binary blob before turning the binary blob into a ZIP package.

“In this case, the JavaScript smuggled inside of the SVG image contains the entire malicious zip archive, and the malware is then assembled by the JavaScript directly on the end user’s device,” Cisco explains. “Because the malware payload is constructed directly on the victim’s machine and isn’t transmitted over the network, this HTML smuggling technique can bypass detection by security devices designed to filter malicious content in transit.”

The downloaded archive is password-protected to avoid detection by antivirus programs, but the HTML that the victim views contains the ZIP file’s password. If opened, an ISO file causes a classic “ISO → LNK → CMD → DLL” infection or a version of it on the victim’s computer. Using the SVG file to conceal malicious code inside an HTML attachment is thought to confuse the payload further and improve the likelihood that it will go undetected.

Block JavaScript or VBScript execution for downloaded material to safeguard systems from HTML smuggling attacks. A Windows vulnerability that QBot recently exploited allowed its attachments to get through Mark of the Web security warnings. However, Microsoft rectified this recently with a patch for December 2022.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.