A new QBot phishing effort has been spotted by Cisco Talos researchers. It begins with a stolen reply chain email asking the recipient to view an attached HTML file. This file exploits HTML smuggling, concealing malicious code using a base64-encoded SVG (scalable vector graphics) image inserted in the HTML. Unlike raster image types, like PNG and JPG files, SVGs are XML-based vector images that can involve HTML <script> tags, which is a legitimate feature of that file format.
The downloaded archive is password-protected to avoid detection by antivirus programs, but the HTML that the victim views contains the ZIP file’s password. If opened, an ISO file causes a classic “ISO → LNK → CMD → DLL” infection or a version of it on the victim’s computer. Using the SVG file to conceal malicious code inside an HTML attachment is thought to confuse the payload further and improve the likelihood that it will go undetected.