QBot malware phishing campaigns have adopted a new distribution method using SVG files to smuggle HTML that locally creates a malicious installer for Windows.
SVG based contraband
This technique allows threat actors to bypass security tools and firewalls that monitor malicious files at the perimeter.
Researchers from Cisco Talos observed a new QBot phishing campaign that begins with a stolen response string email prompting the user to open an attached HTML file.
This attachment contains an HTML smuggling technique that uses a base64-encoded Scalable Vector Graphics (SVG) image embedded in the HTML to hide malicious code.
Unlike raster image types, such as JPG and PNG, SVGs are XML-based vector images that can include HTML tags