admin Phishing campaigns involving the Qakbot malware are utilizing Scalable Vector Graphics (SVG) photographs embedded in HTML e mail attachments.
The brand new distribution methodology was noticed by Cisco Talos, which said it recognized fraudulent e mail messages that includes HTML attachments with encoded SVG photographs that incorporate HTML script tags.
HTML smuggling is a technique that depends on utilizing authentic options of HTML and JavaScript to run encoded malicious code contained throughout the lure attachment and assemble the payload on a sufferer’s machine versus making an HTTP request to fetch the malware from a distant server.
In different phrases, the thought is to evade e mail gateways by storing a binary within the type of a JavaScript code that is decoded and downloaded when opened by way of an online browser.
The assault chain noticed by the cybersecurity firm issues a JavaScript that is smuggled within the SVG picture and executed when the unsuspecting e mail recipient launches the HTML attachment.
“When the sufferer opens the HTML attachment from the e-mail, the smuggled JavaScript code contained in the SVG picture springs into motion, making a malicious ZIP archive after which presenting the consumer with a dialog field to avoid wasting the file,” researchers Adam Katz and Jaeson Schultz stated.
The ZIP archive can be password-protected, requiring customers to enter a password that is displayed within the HTML attachment, following which an ISO picture is extracted to run the Qakbot trojan.
The discovering comes as recent research from Trustwave SpiderLabs reveals that HTML smuggling assaults are a standard prevalence, with .HTML (11.39%) and .HTM (2.7%) recordsdata accounting for the second most spammed file attachment kind after .JPG photographs (25.29%) in September 2022.
“Having sturdy endpoint safety can forestall execution of probably obfuscated scripts, and forestall scripts from launching downloaded executable content material,” the researchers stated.
“HTML smuggling’s capacity to bypass content material scanning filters signifies that this method will most likely be adopted by extra risk actors and used with growing frequency.”
