The use of SVG files within the HTML smuggling payload is likely used to further obfuscate malicious payloads and increase the chances of evading detection.
It is highly recommended to implement and maintain an email security tool to help prevent malicious emails from reaching end users mailboxes. These tools utilize AV scanning and sandboxing to help identify and quarantine malicious attachments in emails. It is also recommended to implement an inbound block on HTML attachments. HTML attachments on inbound external email are generally uncommon, so the feasibility of blocking them outright should be determined to help prevent the more evasive samples from bypassing the other email security controls. It is also recommended to implement and maintain endpoint security controls on all endpoints in an environment. These tools, such as EDRs, can help prevent the execution of malicious payloads from occurring on a system, effectively stopping the infection before it can complete. In cases where prevention may not occur, these tools can also be used to effectively detect potential malicious behavior occurring on a device. Qbot exhibits many behaviors that may be considered suspicious or unusual. Behaviors like an LNK file being executed from a non-system drive, wscript.exe or powershell.exe executing suspicious DLLs with regsvr32.exe or rundll32.exe, and regsvr32.exe and rundll32.exe making abnormal external network connections are all detectable actions that can help find a potential Qbot infection. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.