Security News > 2022 > December > Attackers use SVG files to smuggle QBot malware onto Windows systems
QBot malware phishing campaigns have adopted a new distribution method using SVG files to perform HTML smuggling that locally creates a malicious installer for Windows.
This attack is made through embedded SVG files containing JavaScript that reassemble a Base64 encoded QBot malware installer that is automatically downloaded through the target's browser.
Researchers at Cisco Talos observed a new QBot phishing campaign that starts with a stolen reply-chain email prompting the user to open an attached HTML file.
This attachment contains an HTML smuggling technique that uses a base64-encoded SVG image embedded in the HTML to hide the malicious code.
"Because the malware payload is constructed directly on the victim's machine and isn't transmitted over the network, this HTML smuggling technique can bypass detection by security devices designed to filter malicious content in transit."
To protect systems from HTML smuggling attacks, block JavaScript or VBScript execution for downloaded content.
News URL
Related news
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)