Hackers Use SVG Images to Install QBot Malware

To perform HTML smuggling, the QBot malware phishing campaigns utilize SVG image files as a method of distribution. This method creates a malicious installer for Windows that can be run by the user locally.

A Base64 encoded QBot malware installer is reassembled via embedded SVG images that contain JavaScript which can be used to perform this attack. As soon as the target’s browser is opened, the installer will be automatically downloaded and installed.

HTML Smuggling Based on SVG

A phishing email message that delivers the malicious QBot malware can also load other payloads, such as the following:-

  • Cobalt Strike
  • Brute Ratel
  • Ransomware
HTML Smuggling (Talos)

As the name suggests, HTML smuggling involves encrypting JavaScript payloads into HTML attachments or websites in such a way that they don’t leave any trail behind them.

HTML documents automatically decode JavaScript and execute it when they are opened. Scripts that run locally could be allowed to perform malicious functions, including creating executables that could execute malware.

Threat actors use this method so that they can avoid being detected at the perimeter by the following entities:-

In a new campaign that was observed by Cisco Talos researchers, QBot phishing emails are used to lure users into opening an HTML document that has been attached to an email reply chain sent using stolen email addresses.

Attached File (Talos)

A base64-encoded SVG image is embedded in the HTML of this attachment to hide the malicious code that has been hidden with the aid of an HTML smuggling technique.

SVG Image Embedded (Talos)

Since SVG is a vector image format that is completely based upon XML, it has the capability of including HTML