Attackers Turn to SVG Files to Distribute QBot Malware

In this week’s Cyber Threat Intelligence (CTI) roundup (the series’ final post of 2022!), we take a deep dive into a recent Cisco Talos report detailing a newly documented QakBot (QBot) malware distribution method leveraging Scalable Vector Graphics (SVG) files and HTML smuggling to locally assemble a malicious payload. Next up is a look at batch of three new ransomware families, which Fortinet has charged with leading an ongoing wave of attacks on Windows systems. Finally, we conclude things with an overview of Recorded Future’s 2022 Adversary Infrastructure Report, focusing on the changing trends in the command-and-control (C2) infrastructure used by threat actors — including a 30% increase in the number of unique C2 servers detected in 2022 as compared to last year.

1. Attackers use SVG files to smuggle QBot malware onto Windows systems

A recent Cisco Talos intelligence blog details a novel QBot malware distribution method that uses SVG files to perform HTML smuggling and ultimately assembles a malicious payload locally on victims’ devices.

Put rather simply, when the victim of this attack receives and opens the malicious email attachment, their browser will decode and run an embedded script, thus assembling a malicious payload directly on the victim’s device.

What is HTML smuggling?

HTML smuggling is a malware delivery technique that allows attackers to hide an encoded malicious script within an HTML email attachment or webpage. Regardless of what format the HTML arrives in, opening the HTML decodes the malicious code contained within and assembles the payload on the recipient’s device. This technique allows an attacker to build the malware behind a firewall instead of having to attempt to pass malicious executables through perimeter defenses.

HTML smuggling using SVG

HTML smuggling can be accomplished in a handful of different ways. However, Cisco Talos recently witnessed an attacker deploying a fairly new HTML smuggling technique involving the use of SVG images.

Unlike JPEG image files, SVG images are vector-based – meaning their size can be increased without the image quality suffering. These images are constructed using XML, which conveniently allows them to be placed within HTML.

Cisco Talos has identified malicious emails with HTML attachments featuring encoded SVG images that contain HTML script tags. The inclusion of <script> tags within SVG images is a legitimate feature of SVG that is being abused by attackers to smuggle malicious code onto a victim’s device. With this technique, attackers are taking advantage of the fact that most web browsers will decode and execute this code as if it were a legitimate part of the document’s HTML.

The malicious code smuggled within the SVG image contains the larger malicious zip archive. The malware is then extracted and assembled directly on the victim’s machine. Since the malware payload itself is created on the victim’s machine, this technique enables attackers to bypass basic security detections designed to filter out any malicious content entering the network.

The QBot instance

One of QBot’s known delivery methods involves hijacking a victim’s email and replying to an existing email thread with its malware included as an attachment. This technique takes advantage of the fact that the weaponized email appears to come from a legitimate, trusted source – thus increasing the likelihood that the recipient will interact with the content in the manner desired by the attacker. In the instance observed by Cisco Talos, the hijackers replied to a very old email thread.

When the attachment is opened by the victim, the smuggled code within the SVG image begins its work creating a malicious zip archive. It then presents the victim with a dialog box to save the file. The HTML attachment displays a password that the victims will need to use to open the encrypted zip archive that was just created on the victim’s machine.

Within the HTML attachment, Cisco Talos was able to observe the code leveraged by the attackers to smuggle the JavaScript onto the device. In addition to some known obfuscation techniques, researchers also saw an <embed> tag containing the base64-encoded SVG image. Once this image was decoded and the JavaScript was deobfuscated, Cisco Talos saw the SVG HTML smuggling technique used in this QBot campaign.

• The charCodeAt() function is used to convert text from a JavaScript variable into a binary blob. Using the createObjectURL() function, the binary blob is then converted into a zip archive that the user is prompted to save on their local file system.
• If the victim enters the password provided by the attacker and opens the zip archive, they can extract an ISO file. This ISO file will supposedly infect the victim with QBot.

HTML smuggling statistics

Trustwave recently published a blog regarding HTML file attachments still being a threat, and the aforementioned activity observed by Cisco Talos certainly confirms this.

Trustwave found that HTML file attachments are becoming a common occurrence in their spam traps. Over a 30-day period, Trustwave found that the combination of HTML (11.39%) and HTM (2.7%) files were the second most spammed file attachment – totaling 14.09%.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“HTML smuggling can bypass traditional security tools monitoring for inbound activity as it allows the malicious code to be assembled from inside the network. This highlights the ever-growing need for endpoint protection that can help to prevent the execution of malware.”

“Although HTML smuggling is not a new technique, it’s gaining traction among threat actors due to the abovementioned ability to bypass some security defenses such as content scanning filters. The use of SVG images for HTML smuggling is yet another example of threat actors continually evolving their techniques to remain relevant and successful.”

2. New batch of ransomware families leading attacks on Windows systems

Three new ransomware families have been leading the charge in attacks increasingly targeting Windows systems: Vohuk, ScareCrow, and AESRT (aka AERST).

As stated within Fortinet’s most recent bi-weekly Ransomware Roundup, Vohuk, ScareCrow, and AERST ransomware shares the following common features:

• Affected platforms: Microsoft Windows
• Impacted parties: Microsoft Windows users
• Impact: Encrypts files on the compromised machine and demands ransom for file decryption
• Severity level: High

Here is a closer look at each ransomware family.

Vohuk ransomware

From Fortinet:

“Like most ransomware, the new Vohuk variant encrypts files on compromised machines and tries to extort money from victims. Its dropped ransom note, “README.txt,” asks victims to contact the attacker via email with a unique ID assigned to each victim. As seen in the ransom note, this Vohuk ransomware variant is version 1.3, potentially indicating that the attacker has updated the ransomware several times.”

• Vorhuk encrypts files and appends them with a “.Vohuk” file extension.
• It also replaces targeted files’ icons with a red lock icon (see below) and replaces desktop wallpaper with its own theme.

From Fortinet:

“The ransomware leaves a distinctive mutex, “Global\\VohukMutex,” which prevents different instances of Vohuk ransomware from running on the same system… Based on the file submission locations to VirusTotal, Vohuk ransomware has primarily affected Germany and India.”

ScareCrow ransomware

From Fortinet:

“ScareCrow ransomware appears to have some similarities with the infamous Conti ransomware: both use the CHACHA algorithm to encrypt files and delete shadow copies using wmic based on shadow copy IDs. This is not all that surprising because the Conti ransomware source code was reportedly leaked earlier in the year. However, the ScareCrow threat actor put some effort into developing this ransomware variant, as our analysis found some significant differences. For example, Conti encrypts all command strings with one decryption routine, whereas ScareCrow encrypts every string, including the name of the DLLs it loads (i.e., kernel32), the name of the APIs it uses, and even the command strings with its own decryption routine.”

In most respects, ScareCrow is your typical ransomware. It encrypts files on victims’ machines, and leaves a ransom note in the form of a file named “readme.txt.” The note contains three different Telegram channels victims may use to communicate with their attackers, who typically neglect to leave a financial demand in their ransom notes (a fact that may be indicative of the attackers’ desire to reserve their right to come up with a price on the spot when and if they are contacted by a victim organization’s authorized negotiator).

Fortinet notes that, at time of writing, none of the three Telegram channels were available.

ScareCrow ransomware also appends encrypted files with a “.CROW” file extension to affected files.

AERST ransomware

From Fortinet:

“AESRT is a new ransomware strain that FortiGuard Labs recently came across. It encrypts files on compromised machines and appends an “.AESRT” file extension to the files it encrypts. Instead of leaving a ransom note, the ransomware displays a popup window that includes the attacker’s email address. It also accepts a field to enter the purchased key required to decrypt the ransomed files. The ransomware also deletes shadow copies, which inhibits the victim’s ability to recover files.”

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“It is extremely unwise (we say this generally – there are always extenuating circumstances in any situation) to submit payment to ransomware gangs. Not only is there no guarantee that your files will be recovered, but there is also no guarantee that the criminals won’t be coming back for more. In addition, U.S. government organizations of various types and jurisdictions have advised against paying ransoms, and the accompanying reality that doing so could, in many instances, be considered illegal.”

“The important thing to do is remain vigilant for the behavior and TTPs that operations like the ransomware groups described above leverage both before and during their operations and place emphasis on maintaining awareness of the initial access vectors favored by these groups (such as the deployment of “precursor” malware – think QBot and its role in propagating Black Basta ransomware – often delivered via sophisticated phishing campaigns).”

3. Recorded Future: Number of command-and-control servers spiked in 2022

Recorded Future’s new 2022 Adversary Infrastructure Report contains an analysis of command-and-control (C2) infrastructure identified using proactive scanning and collection methods throughout 2022.

Perhaps the most notable item among the report’s key findings is the increase in the number of unique C2 servers discovered in 2022 — a rise of 30% as compared to the previous year. This is a clear indication that cybercriminals and state-backed advanced persistent threat (APT) groups alike are increasingly leveraging these devices to carry out attacks.

A C2 server is basically a computer that issues orders to infected devices. Servers enable threat actors to establish networks for encrypting data, launching attacks, and carrying out other harmful activities.

The report’s authors claim to have detected more than 17,000 C2 servers in 2022, up from 13,629 servers identified the year before.

When examining the top five malware/exploitation frameworks associated with these C2 servers over the past three years, the study reveals a continuous rise in the number of C2 servers linked to Cobalt Strike, Meterpreter and PlugX (a popular remote access trojan favored by China’s state-backed hackers). This comes despite the advanced age of these particular tools.

Other significant contributing families include botnet families such as IcedID and QakBot (the latter of which seems to have experienced quite a successful year), as well as a fully re-emerged Emotet, which – along with QakBot, continued to expand C2 infrastructure throughout 2022.

Additional takeaways from the report

• Researchers observed an average 33-day lead time between detecting a C2 server by their own scanning efforts and when it is reported in other sources.
• PlugX remains in heavy use despite ShadowPad being touted as its “successor.”
• Shifts in Russian state-sponsored C2 infrastructure can make tracking specific operations more difficult than with other state-attributed entities.
• The largest hosting providers continue to have the most C2 server observations, as expected. However, there have been shifts in which providers are being used for C2 servers, including a more than 300% increase in hosting on Shenzhen Tencent Computer Systems that made it the most popular for C2s in Recorded Future’s survey.
• China overtook the U.S. as the top country by volume for C2 server-hosting. While the U.S.’s share of C2 servers dropped from 34% to 22%, China’s shares increased from 14% to 24% mostly due to substantial increase in C2 detections at Chinese hosting provider Shenzhen Tencent Computer Systems.
• In 2021, Recorded Future predicted a more diverse C2 environment in which its researchers would see an increase in detections from new tooling. However, the variety they eventually observed originated from a broader spread of established tooling rather than from the use of new tools.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“When it comes to predicting adversarial C2 infrastructure heading into 2023, it would seem reasonable for one to imagine that stalwart frameworks like Cobalt Strike and botnets like Emotet and QakBot will continue to occupy the top spots resulting from studies such as the one described above, although some experts point to Brute Ratel as Cobalt Strike’s likely successor owing to its lower detection rate among endpoint detection and response (EDR) solutions. Ultimately, it will be the malware/post-exploitation tools/botnet families which emphasize a focus on OPSEC, engage in a continuous cycle of infrastructure changes, and employ outside-the-box TTPs that experience the most success.”

---

Catch up on more of our cyber threat intelligence roundups here.