QBot malware phishing campaigns have adopted a brand new distribution technique utilizing SVG recordsdata to carry out HTML smuggling that domestically creates a malicious installer for Home windows.
This assault is made via embedded SVG recordsdata containing JavaScript that reassemble a Base64 encoded QBot malware installer that’s robotically downloaded via the goal’s browser.
QBot is a Home windows malware arriving by way of a phishing e-mail that hundreds different payloads, together with Cobalt Strike, Brute Ratel, and ransomware.
SVG-based smuggling
HTML smuggling is a way used to “smuggle” encoded JavaScript payloads inside an HTML attachment or a web site.
When the HTML doc is opened, it should decode the JavaScript and execute it, permitting the script to domestically carry out malicious habits, together with creating malware executables.
This system allows the menace actors to bypass safety instruments and firewalls that monitor for malicious recordsdata on the perimeter.
Researchers at Cisco Talos noticed a brand new QBot phishing marketing campaign that begins with a stolen reply-chain e-mail prompting the person to open an connected HTML file.
This attachment comprises an HTML smuggling method that makes use of a base64-encoded SVG (scalable vector graphics) picture embedded within the HTML to cover the malicious code.
In contrast to raster picture varieties, reminiscent of JPG and PNG recordsdata, SVGs are XML-based vector photographs that may embrace HTML <script> tags, which is a legit characteristic of that file format.
When an HTML doc hundreds an SVG file via an <embed> or <iframe> tag, the picture will likely be displayed, and the JavaScript will likely be executed.
Cisco’s analysts decoded the JavaScript code within the SVG blob and located a operate that converts an included JS variable ‘textual content’ right into a binary blob, adopted by a operate that converts the blob right into a ZIP archive, as proven beneath.
“On this case, the JavaScript smuggled inside the SVG picture comprises the complete malicious zip archive, and the malware is then assembled by the JavaScript immediately on the tip person’s machine,” explains Cisco.
“As a result of the malware payload is constructed immediately on the sufferer’s machine and is not transmitted over the community, this HTML smuggling method can bypass detection by safety units designed to filter malicious content material in transit.”
The downloaded archive is password-protected to evade scrutiny from AVs, however the HTML the sufferer opens comprises the ZIP file’s password.
If opened, an ISO file is extracted on the sufferer’s machine that results in a typical “ISO → LNK → CMD → DLL” an infection or some variation of it.
It’s assumed that utilizing the SVG file to cover malicious code inside an HTML attachment helps additional obfuscate the payload and will increase the probabilities of evading detection
To guard techniques from HTML smuggling assaults, block JavaScript or VBScript execution for downloaded content material.
QBot just lately exploited a Home windows vulnerability that enabled its attachments to bypass Mark of the Net safety warnings, however Microsoft mounted this yesterday with Microsoft’s December 2022 patch.