Windows systems infected with QBot malware through SVG files

BleepingComputer reports that Windows machines are being targeted by a new QBot phishing campaign leveraging scalable vector graphics files to facilitate HTML smuggling. Stolen reply chain emails are being used by attackers to lure potential victims into opening the HTML file attachment, which features a base64-encoded SVG image-based HTML smuggling technique for malicious code concealment, according to a Cisco Talos report. Opening the SVG file will prompt the execution of a JavaScript code that enables the conversion of the embedded JS variable "text" into a binary blob, which is later converted to a ZIP archive. "In this case, the JavaScript smuggled inside of the SVG image contains the entire malicious zip archive, and the malware is then assembled by the JavaScript directly on the end user's device. Because the malware payload is constructed directly on the victim's machine and isn't transmitted over the network, this HTML smuggling technique can bypass detection by security devices designed to filter malicious content in transit," said Cisco Talos.