Phishing campaigns involving the Qakbot malware are utilizing Scalable Vector Graphics (SVG) pictures embedded in HTML e-mail attachments.
The new distribution technique was noticed by Cisco Talos, which mentioned it recognized fraudulent e-mail messages that includes HTML attachments with encoded SVG pictures that incorporate HTML script tags.
HTML smuggling is a method that depends on utilizing professional options of HTML and JavaScript to run encoded malicious code contained inside the lure attachment and assemble the payload on a sufferer’s machine versus making an HTTP request to fetch the malware from a distant server.
In different phrases, the thought is to evade e-mail gateways by storing a binary within the type of a JavaScript code that is decoded and downloaded when opened by way of an internet browser.
The assault chain noticed by the cybersecurity firm considerations a JavaScript that is smuggled within the SVG picture and executed when the unsuspecting e-mail recipient launches the HTML attachment.
“When the sufferer opens the HTML attachment from the e-mail, the smuggled JavaScript code contained in the SVG picture springs into motion, making a malicious ZIP archive after which presenting the person with a dialog field to avoid wasting the file,” researchers Adam Katz and Jaeson Schultz mentioned.
The ZIP archive can also be password-protected, requiring customers to enter a password that is displayed within the HTML attachment, following which an ISO picture is extracted to run the Qakbot trojan.
The discovering comes as latest analysis from Trustwave SpiderLabs reveals that HTML smuggling assaults are a standard prevalence, with .HTML (11.39%) and .HTM (2.7%) recordsdata accounting for the second most spammed file attachment kind after .JPG pictures (25.29%) in September 2022.
“Having strong endpoint safety can stop execution of probably obfuscated scripts, and stop scripts from launching downloaded executable content material,” the researchers mentioned.
“HTML smuggling’s capacity to bypass content material scanning filters implies that this system will most likely be adopted by extra risk actors and used with rising frequency.”