QakBot, also known as QBot or PinkSlip, operators are using a relatively new technique that leverages Scalable Vector Graphics (SVG) images embedded in HTML email attachments, also known as HTML smuggling attacks.
How does it work?
According to Talos researchers, QakBot operators send phishing emails featuring HTML attachments containing obfuscated SVG images.
- Attackers exploit HTML script functions for SVG image tags to smuggle malicious JavaScript code onto a victim's computer.
- When the attachment is opened, the JavaScript creates a malicious password-protected ZIP archive and pops up a save-file dialog box.
- The ZIP archive requires users to enter a password that is displayed in the HTML attachment. On entering the password, an ISO image is extracted to run QakBot directly on the victim’s device.
Rise in HTML smuggling incidents
According to Trustwave SpiderLabs’ recent research, HTML smuggling attack is becoming a common method used by cyber attackers.
- HTML has become the second and third most abused file type during attacks, with .HTML used in 11.39% of cases and .HTM in 2.7% of cases observed in September.
- The top most abused file attachment type has been .JPG images (25.29%).
QakBot’s recent campaigns
QakBot operators keep evolving new methods to drop malware payloads without getting detected.
- The Black Basta ransomware gang was using QakBot to distribute Cobalt Strike on several machines in the infected environment.
- In phishing attacks, attackers were using a Windows zero-day vulnerability (CVE-2022-44698) to drop QBot without displaying Mark of the Web security warnings.
- QBot was using a DLL hijacking flaw in the Windows 10 Control Panel EXE to infect computers without getting detected.
Conclusion
HTML smuggling provides stealth-like capabilities to the attackers, and therefore, experts expect an increase in the use of this technique by more attackers in the future. To stay protected, it is recommended to have a robust end-point protection system to prevent the download and launch of malicious executable files.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/05a5_shutterstock_2083694662.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0531_shutterstock_307210721.jpg)
