Attackers exploit legal-themed emails and weaponized SVG files to deliver remote access trojans, evade detection, and harvest sensitive information.
A sophisticated cyberattack campaign has been uncovered targeting users in Colombia with court-themed phishing emails carrying malicious SVG file attachments.
The operation leverages social engineering techniques to impersonate judicial authorities, tricking recipients into opening attachments that appear to be official documents. Once opened, these SVG files initiate a multi-stage infection process designed to evade traditional email security filters.
The attack chain begins with the SVG attachment, which contains embedded JavaScript that redirects victims to download additional malicious files hosted on established cloud platforms. These files ultimately deliver remote access trojans, specifically AsyncRAT and RemcosRAT, enabling attackers to gain persistent control over compromised systems.
The malware is capable of harvesting credentials, exfiltrating sensitive data, logging keystrokes, and potentially facilitating further attacks, including ransomware deployment or lateral movement within an organization’s network.
Furthermore, attackers were found to use a range of advanced evasion tactics to avoid detection and analysis:
- DLL side-loading, which allows malicious code to run under the guise of legitimate software, and User Account Control bypass techniques to escalate privileges without alerting the user.
- Payload obfuscation and anti-analysis measures to complicate attempts by security researchers to dissect the malware.
- Using established cloud services for hosting malicious payloads to make it challenging for defenders to distinguish between legitimate and harmful network traffic. Relying on publicly accessible infrastructure to host and distribute their malicious files, makes it more difficult for defenders to block the threat based on domain reputation alone.
Technical indicators, such as the use of Spanish and Portuguese language strings and references to Colombian institutions, underscore the regional targeting and suggest possible links to broader Latin American cybercriminal activity.
The campaign’s reliance on social engineering and technical sophistication highlights the evolving nature of email-based threats, as well as the SVG format’s poor cyber history and inherent insecurity.
According to Acronis Threat Research Unit, the entity that investigated the threat, the campaign is ongoing, and, while not a new tactic, should alert defenders everywhere to step up detection and quarantining of SVG attachments on top of the usual phishing interception protocols.
