Recently, an entry about an interesting attack was posted on the Cisco Talos Intelligence blog. The attack’s purpose was to deliver and detonate a malicious code, leading to the download of the popular Qakbot Trojan on potential victims’ machines. The e-mail message with a HTML file attachment is the vector of the attack. The attachment contains a base64 encoded SVG graphics file.
The main characteristic of this type of files is that they are based on XML, which allows, among other things, the <script> HTML language tag to be nested within it. This tag, as you know, stands for code written in JavaScript. When the aforementioned attachment is opened, the browser renders the SVG file nested within it and… executes the JavaScript code contained in the file. Cisco’s analysis of the code indicates that it contains a ZIP archive, which, interestingly enough, is not downloaded from the Internet, but generated directly on the victim’s device from one of the variables contained in the JS code. This intends to fool security systems that work on the basis of network traffic analysis. The ZIP file is additionally protected by a password, which is displayed by the browser when the HTML attachment is opened. Inside the ZIP is an ISO file and only after opening this file does the Quakbot code downloading sequence start.
Source:
Attackers use SVG files to smuggle QBot malware onto Windows systems
HTML smugglers turn to SVG images
