HQ/EMEAFind out how we can help your business
Phishing operators use Scalable Vector Graphics (SVG) files to distribute the QBot malware as an HTML attachment. Analysts explained that the current target of this phishing campaign is Windows systems.
According to researchers, the attackers disseminated the new infection method through fraudulent email messages that feature HTML attachments with programmed SVG images that feature HTML script tags.
In addition, the HTML smuggling campaign is a method that heavily depends on exploiting legitimate functionalities of JavaScript and HTML. This technique could operate encoded malicious code kept within the lure attachment and collect the payload on a targeted device, opposite to developing an HTTP request to retrieve malware from a remote server.
The strategy of this phishing campaign is to bypass email gateway security by storing a binary and impersonating a JavaScript code that is decoded and downloaded when accessed by a target on a web browser.
Unaware victims might download the SVG files in malicious emails.
Experts worry that JavaScript that is smuggled by the threat actors inside the SVG files could heavily impact unsuspecting users since they could launch the HTML attachment unintentionally.
The researchers explained that when a target accesses the HTML attachment from the email, the smuggled JavaScript code within an SVG image will take effect instantly. Hence, it could create a compromised ZIP archive that will prompt a user to save the file through a dialogue box.
The ZIP archive is password-protected; users can unlock it by entering a password provided by the attackers in the HTML attachment. This method could lead to the extraction of payloads that could start the QBot trojan.
A recent tally showed that HTML smuggling campaigns are becoming more prevalent since HTML, HTM, and JPG attachments are the most sent entities by phishing operators.
Cybersecurity experts suggest that users should have potent endpoint protection that could obstruct the execution of potentially obfuscated malicious scripts. Moreover, strong protections could prevent a script from deploying downloaded executable content.
Researchers are concerned about the progress of the HTML smuggling technique since many believe it will be adopted by more threat actors soon.
