Phishing campaigns involving the Qakbot malware are utilizing Scalable Vector Graphics (SVG) photos embedded in HTML electronic mail attachments.
The brand new distribution methodology was noticed by Cisco Talos, which mentioned it recognized fraudulent electronic mail messages that includes HTML attachments with encoded SVG photos that incorporate HTML script tags.
HTML smuggling is a approach that depends on utilizing respectable options of HTML and JavaScript to run encoded malicious code contained throughout the lure attachment and assemble the payload on a sufferer’s machine versus making an HTTP request to fetch the malware from a distant server.
In different phrases, the thought is to evade electronic mail gateways by storing a binary within the type of a JavaScript code that is decoded and downloaded when opened by way of an online browser.
The assault chain noticed by the cybersecurity firm issues a JavaScript that is smuggled inside the SVG picture and executed when the unsuspecting electronic mail recipient launches the HTML attachment.
“When the sufferer opens the HTML attachment from the e-mail, the smuggled JavaScript code contained in the SVG picture springs into motion, making a malicious ZIP archive after which presenting the consumer with a dialog field to avoid wasting the file,” researchers Adam Katz and Jaeson Schultz mentioned.
The ZIP archive can be password-protected, requiring customers to enter a password that is displayed within the HTML attachment, following which an ISO picture is extracted to run the Qakbot trojan.
The discovering comes as latest analysis from Trustwave SpiderLabs exhibits that HTML smuggling assaults are a standard incidence, with .HTML (11.39%) and .HTM (2.7%) recordsdata accounting for the second most spammed file attachment kind after .JPG photos (25.29%) in September 2022.
“Having sturdy endpoint safety can stop execution of probably obfuscated scripts, and forestall scripts from launching downloaded executable content material,” the researchers mentioned.
“HTML smuggling’s means to bypass content material scanning filters implies that this system will most likely be adopted by extra risk actors and used with rising frequency.”