QBot’s malware phishing campaigns use SVG files for HTML smuggling. This locally creates an infected Windows installer.
QBot is Windows malware that arrives via phishing emails. It loads additional payloads such as and .
This allows the attackers to get around security and firewalls by locating malicious files within the perimeter.
Researchers from discovered a new QBot Phishing campaign. It starts with a stolen reply chain email, prompting users to open the attached HTML file.
The attachment includes an HTML smuggling method that embeds a SVG (scalable vector graphic) embedded image in the HTML. This is to conceal the malicious code.
SVGs, unlike other raster images types like JPG or PNG, are XML-based vector files that can contain HTML script> tags. This is a valid feature in that file format.
This HTML smuggling method can be bypassed by security systems that filter out malicious content.
To avoid scrutiny by AVs, the downloaded archive is password protected. However, the HTML that the victim opens includes the password to the ZIP file.
An ISO file can be extracted from the victim’s computer if it is opened. This will lead to an “ISO-LNK-CMD-DLL” infection, or a variant thereof.
The assumption is that hiding malicious code in an HTML attachment with the SVG file helps to obfuscate and increase the chance of detection
QBot exploited recently a Windows vulnerability which enabled it to attach security alerts. Microsoft corrected this issue yesterday using Microsoft’s .