Cybercriminals have launched a sophisticated phishing campaign targeting Colombian users by sending fraudulent judicial notifications. This multi-stage attack culminates in the deployment of AsyncRAT, a remote access trojan designed to steal sensitive information.
Deceptive Emails Mimicking Legal Authorities
The attackers craft convincing emails in Spanish, impersonating the Juzgado 17 Civil Municipal del Circuito de Bogotá (17th Municipal Civil Court of the Bogotá Circuit). These messages inform recipients of alleged lawsuits filed against them, creating a sense of urgency and authenticity through formal legal language and official-sounding names.
Malicious SVG Attachments as Initial Attack Vectors
The fraudulent emails include SVG (Scalable Vector Graphics) file attachments named Fiscalia General De La Nacion Juzgado Civil 17.svg, translating to Attorney General’s Office Civil Court 17.svg. When opened, these SVG files display a fake webpage masquerading as the Attorney General’s Office and Citizen’s Consultation Portal. This counterfeit interface includes fabricated judicial information systems and fake consultation registration numbers, enhancing the illusion of legitimacy.
Complex Multi-Stage Infection Chain
Upon attempting to download what appears to be an official document, the victim initiates a complex infection chain involving multiple file stages and encoding techniques. Security analysts from Seqrite identified this campaign during their threat intelligence monitoring activities, noting the sophisticated use of SVG files as initial attack vectors.
Technical Breakdown of the Infection Process
1. Execution of Malicious SVG File: When the victim clicks on the SVG file, embedded JavaScript code executes the `OpenDocument()` function, which performs several operations to initiate the attack sequence.
2. Display of Fake Progress Bar: The SVG file contains embedded base64-encoded data that, when decoded, creates an HTML blob displayed in a new browser tab. This secondary page presents a fake progress bar interface, convincing victims that a legitimate document download is occurring.
3. Download of Malicious HTA File: Simultaneously, the system triggers the download of a malicious HTA file named DOCUMENTO_OFICIAL_JUZGADO.HTA.
4. Execution of Obfuscated Code: The HTA file contains heavily obfuscated code with large blocks of base64-encoded content. When executed, it decodes and drops a Visual Basic script file called actualiza.vbs onto the victim’s system.
5. PowerShell Script Execution: The VBS file, after removing extensive junk code designed to evade analysis, executes a PowerShell script contained within an obfuscated variable named GftsOTSaty.
6. Download of Encoded Text File: The PowerShell component (veooZ.ps1) connects to a dpaste domain URL to download an encoded text file called Ysemg.txt.
7. Decoding and Execution of Final Payload: This file undergoes multiple decoding processes, replacing specific character patterns before base64 decoding to produce classlibrary3.dll, a .NET assembly that functions as a module loader.
8. Anti-Detection Techniques: The loader incorporates anti-virtual machine techniques, checking for VirtualBox and VMware-related processes to avoid detection in analysis environments.
9. Injection of AsyncRAT: The final payload, AsyncRAT, is injected into the legitimate MSBuild.exe process through sophisticated in-memory injection techniques. This approach allows the malware to operate within a trusted Windows process, effectively evading detection while maintaining persistence on the infected system.
Capabilities of AsyncRAT
AsyncRAT provides comprehensive remote access capabilities, including keystroke logging, system information gathering, webcam surveillance, and command-and-control communications through encrypted TLS connections using MessagePack serialization.
Implications and Recommendations
This campaign highlights the evolving tactics of cybercriminals who exploit legitimate-looking governmental communications to bypass traditional security measures. Users are advised to exercise caution when receiving unsolicited emails, especially those claiming to be from legal authorities. It’s crucial to verify the authenticity of such communications through official channels and avoid opening attachments or clicking on links from unknown sources.
Organizations should implement advanced email filtering solutions capable of detecting and blocking malicious attachments and links. Regular security awareness training for employees can also help in recognizing and mitigating phishing attempts.
