Hacking Using SVG Files to Smuggle QBot Malware onto Windows Systems

Home | Cybersecurity | S.I.S 17th December, 2022

2 Comment(s)

Phishing campaigns involving the Qakbot malware are using Scalable Vector Graphics (SVG) images embedded in HTML email attachments.

The new distribution method was spotted by Cisco Talos, which said it identified fraudulent email messages featuring HTML attachments with encoded SVG images that incorporate HTML script tags.

HTML smuggling is a technique that relies on using legitimate features of HTML and JavaScript to run encoded malicious code contained within the lure attachment and assemble the payload on a victim's machine as opposed to making an HTTP request to fetch the malware from a remote server.

In other words, the idea is to evade email gateways by storing a binary in the form of a JavaScript code that's decoded and downloaded when opened via a web browser.

The attack chain spotted by the cybersecurity company concerns a JavaScript that's smuggled inside of the SVG image and executed when the unsuspecting email recipient launches the HTML attachment.

"When the victim opens the HTML attachment from the email, the smuggled JavaScript code inside the SVG image springs into action, creating a malicious ZIP archive and then presenting the user with a dialog box to save the file," researchers Adam Katz and Jaeson Schultz said.

The ZIP archive is also password-protected, requiring users to enter a password that's displayed in the HTML attachment, following which an ISO image is extracted to run the Qakbot trojan.

The finding comes as recent research from Trustwave SpiderLabs shows that HTML smuggling attacks are a common occurrence,. HTML (11.39%) and. HTM (2.7%) files account for the second most spammed file attachment type after. JPG images (25.29%) in September 2022.

"Having robust endpoint protection can prevent execution of potentially obfuscated scripts, and prevent scripts from launching downloaded executable content," the researchers said.

"HTML smuggling's ability to bypass content scanning filters means that this technique will probably be adopted by more threat actors and used with increasing frequency."

Have a conversation

Keep community guidline!

SEND

Peter kakuma Kapola | 1 year ago

Keep community guidline

Richmond Nketia | 1 year ago

Scholar Indexing Society

5th August, 2023 • Opinion

Check if your Details have Been Uploaded onto the Platform

5th August, 2023 • Opinion

Scholar Indexing Society Thesis Topics

...

3rd August, 2023 • Opinion

Resistance training Program: A 7-day Workout Plan

...

Read more

22nd July, 2023 • Opinion

On the shoulders of giants

Read more

22nd July, 2023 • Opinion

Turnitin Feedback Studio: Quick Start Guide for Instructors

Read more

22nd June, 2023 • Technology

New machine learning model for the early detection of fake news

Read more

21st June, 2023 • Special Issues

Pursuing a PhD in Informatics

Read more

19th April, 2023 • Medicine and Health

Hospital Management System (HMS)

Read more

ast
Scholar Indexing Society

Home

About us

Help and FAQ

Contact us

Error 500

Server Error

Exception Traces
This will only be displayed in DEVELOPMENT_MODE.

Error Message	SQLSTATE[42000]: Syntax error or access violation: 1055 Expression #1 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'scholari_sis_db.blog.id' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by
File	/home2/scholari/public_html/app/models/PDODb.php On Line 1608
Stack Trace	1 /home2/scholari/public_html/app/models/PDODb.php(1608): PDOStatement->execute() 2 /home2/scholari/public_html/app/controllers/ApiController.php(57): PDODb->rawQuery('SELECT * FROM blog GROUP BY tag ORDER BY views DESC limit 5', NULL) 3 /home2/scholari/public_html/app/views/partials/ast/list.php(558): ApiController->arr('SELECT * FROM blog GROUP BY tag ORDER BY views DESC limit 5') 4 /home2/scholari/public_html/system/BaseView.php(401): include('/home2/scholari/public_html/app/views/partials/ast/list.php') 5 /home2/scholari/public_html/system/BaseController.php(669): BaseView->render('ast/list.php', stdClass, 'main_layout.php') 6 /home2/scholari/public_html/app/controllers/AstController.php(68): BaseController->render_view('ast/list.php', stdClass) 7 /home2/scholari/public_html/system/Router.php(196): AstController->index() 8 /home2/scholari/public_html/system/BaseView.php(465): Router->run('ast/list') 9 /home2/scholari/public_html/app/views/partials/blog/more_post.php(45): BaseView->render_page('ast/list', Array) 10 /home2/scholari/public_html/system/BaseView.php(401): include('/home2/scholari/public_html/app/views/partials/blog/more_post.php') 11 /home2/scholari/public_html/system/BaseController.php(669): BaseView->render('blog/more_post.php', stdClass, 'main_layout.php') 12 /home2/scholari/public_html/app/controllers/BlogController.php(400): BaseController->render_view('blog/more_post.php', stdClass) 13 /home2/scholari/public_html/system/Router.php(196): BlogController->more_post() 14 /home2/scholari/public_html/system/BaseView.php(465): Router->run('blog/more_post') 15 /home2/scholari/public_html/app/views/partials/blog/view.php(122): BaseView->render_page('blog/more_post?limit_count=20', Array) 16 /home2/scholari/public_html/system/BaseView.php(418): include('/home2/scholari/public_html/app/views/partials/blog/view.php') 17 /home2/scholari/public_html/app/views/layouts/main_layout.php(59): BaseView->render_body() 18 /home2/scholari/public_html/system/BaseView.php(385): include('/home2/scholari/public_html/app/views/layouts/main_layout.php') 19 /home2/scholari/public_html/system/BaseController.php(669): BaseView->render('blog/view.php', Array, 'main_layout.php') 20 /home2/scholari/public_html/app/controllers/BlogController.php(134): BaseController->render_view('blog/view.php', Array) 21 /home2/scholari/public_html/system/Router.php(196): BlogController->view('30') 22 /home2/scholari/public_html/system/Router.php(109): Router->run('blog/view/30') 23 /home2/scholari/public_html/index.php(106): Router->init()

Please contact system administrator

Tel: +233*********

Email: support@Scholar Indexing Society.com

Go to Home Page

Navigation

Home

News

Hall of Fame

Service & Solution

About Us

Docs

Indexed Articles

Indexed Journals

Dissertations & Theses

Register a Journal

Upload an Article

Upload a Project

Community

Eminent Personalities

Directory of Researchers

Council Members

Team Members

Sponsors

Requests

Check Turnitin Plagiarism

Work my Plagiarism

Thesis to Article

Thesis to Book

Thesis to book Chapter

Power Point Preparation

Address

University of California

Experiment Station

1060 Martin Luther King Blvd

Riverside Ca 92507

Telephone

+19517275906

Email

scholarindexing@gmail.com

Connect

Scholar Indexing Society (SIS)

Principles & Transparency Policy & Terms User Criteria Tolerance Policy Page Up

Copyright ©2023 Scholar Indexing Society All Rights Reserved. Policy & Terms Photos used throughout from Unsplash.

Download on the

App Store

Get SIS on

Google Play

Close

Search SIS !

Articles, journal, project, hall of fame

Scholar Indexing Society

Close

Close

Username or Email

Password

Reset password

Don't have an account? Register

Do you have an account already? Login

Copyright © Scholar Indexing Society All Rights Reserved.

S.I.S

S.I.S

Welcome! Accelerate Your Discovery

2071

1092

12

139

49

101782

16

64

10