Cybersecurity researchers from Cisco Talos discovered that Qakbot operators spread malicious software using SVG images built into the HTML email.
This propagation method is called HTML Smuggling (HTML smuggling) – it uses HTML and JavaScript functions to launch encoded malicious code contained in the attachment and delivery of the payload to the victim’s computer.
The attack chain
In the JavaScript-scenario attack chain, it is inserted into the SVG image and is performed when the recipient of the letter launches an HTML attitude. After starting, the script creates a malicious ZIP archive and provides the user with a dialog box to save the file.
ZIP archive is also protected by a password, which is displayed in HTML, after which an ISO-image is extracted for launching a trojan QAKBOT.
The process of infection Qakbot
According to specialists from Sophos, Qakbot collects a wide range of profile information from infected systems, including information about all the user accounts, permits, the installed software, neglected services, etc.