Cisco Talos: Trojan Qakbot now spreads inside SVG-images

Cybersecurity researchers from Cisco Talos discovered that Qakbot operators spread malicious software using SVG images built into the HTML email.

This propagation method is called HTML Smuggling (HTML smuggling) – it uses HTML and JavaScript functions to launch encoded malicious code contained in the attachment and delivery of the payload to the victim’s computer.

The attack chain

In the JavaScript-scenario attack chain, it is inserted into the SVG image and is performed when the recipient of the letter launches an HTML attitude. After starting, the script creates a malicious ZIP archive and provides the user with a dialog box to save the file.

ZIP archive is also protected by a password, which is displayed in HTML, after which an ISO-image is extracted for launching a trojan QAKBOT.

The process of infection Qakbot

According to specialists from Sophos, Qakbot collects a wide range of profile information from infected systems, including information about all the user accounts, permits, the installed software, neglected services, etc.

/Media reports cited above.