Attackers distribute QBot malware using HTML smuggling
Talos researchers recently uncovered a phishing campaign that uses Scalable Vector Graphics (SVG) images embedded in HTML email attachments to distribute QBot malware.
Basically, when the victim of this attack gets and opens the malicious email attachment, their browser decodes and executes an embedded script, resulting in the assembly of a malicious payload directly on the victim’s device.
SVG images, unlike JPEG images, are vector-based, which means their size can be increased without compromising image quality. These images are built with XML, which allows them to be easily placed within HTML mentioned above.
The rest of the infection follows a similar Qbot infection chain, beginning with an ISO file containing a shortcut, or LNK, file that implements a chain that culminates in the implementation of the main Qbot DLL. Because the malware payload is created on the victim’s browser, attackers can avoid basic security detections designed to filter out any malicious content entering the network.
The sources for this piece include an article in BleepingComputer.