Recent Qbot, also known as Qakbot, phishing campaigns have been spotted using a new distribution method, utilizing SVG files to perform HTML smuggling. These embedded SVG files contain JavaScript code that decodes and reassembles a malicious ZIP file that is then presented to the user.
Scalable vector graphics, commonly known as SVG, files are XML-based vector images that support the inclusion of HTML <script> tags. When an HTML document loads an SVG file via an iframe, the image is displayed and any JavaScript within the SVG file is executed. Recent Qbot campaigns were seen abusing this feature in their malicious phishing payloads, opting to use SVG images containing malicious JavaScript within their HTML smuggling payloads. When this JavaScript is executed, a hard-coded variable that contains a base64-encoded binary blob is converted into a ZIP archive and presented to the user. The ZIP file is password-protected to evade detection by AV solutions, but the password to the ZIP is included in the image also presented to the user, allowing them to unzip the archive. The rest of the infection follows similar Qbot infection chains, starting with an ISO file that contains a shortcut, or LNK, file that executes a chain ending in the execution of the main Qbot DLL.
The use of SVG files within the HTML smuggling payload is likely used to further obfuscate malicious payloads and increase the chances of evading detection.
Analyst Notes
It is highly recommended to implement and maintain an email security tool to help prevent malicious emails from reaching end users mailboxes. These tools utilize AV scanning and sandboxing to help identify and quarantine malicious attachments in emails. It is also recommended to implement an inbound block on HTML attachments. HTML attachments on inbound external email are generally uncommon, so the feasibility of blocking them outright should be determined to help prevent the more evasive samples from bypassing the other email security controls. It is also recommended to implement and maintain endpoint security controls on all endpoints in an environment. These tools, such as EDRs, can help prevent the execution of malicious payloads from occurring on a system, effectively stopping the infection before it can complete. In cases where prevention may not occur, these tools can also be used to effectively detect potential malicious behavior occurring on a device. Qbot exhibits many behaviors that may be considered suspicious or unusual. Behaviors like an LNK file being executed from a non-system drive, wscript.exe or powershell.exe executing suspicious DLLs with regsvr32.exe or rundll32.exe, and regsvr32.exe and rundll32.exe making abnormal external network connections are all detectable actions that can help find a potential Qbot infection. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://www.bleepingcomputer.com/news/security/attackers-use-svg-files-to-smuggle-qbot-malware-onto-windows-systems/
https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/
