Full Report
Content Overview Introduction Initial Vector Infection Chain Analysis of .SVG Attachment Analysis of .HTA file Analysis of .VBS file Analysis of .ps1 file Analysis of Downloader/Loader Anti-VM Technique Persistence Technique Download and Loader Function AsyncRAT Payload File MD5’s Quick Heal \ Seqrite Detections MITRE Attack Tactics, Techniques, and Procedures (TTPs) Introduction – There has been […] The post Judicial Notification Phish Targets Colombian Users – .SVG Attachment Deploys Info-stealer Malware appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Incident Report: Judicial Notification Phishing Campaign Targeting Colombian Users with AsyncRAT Deployment
## Executive Summary
A targeted phishing campaign, leveraging a sophisticated multi-stage infection chain, successfully compromised users in Colombia using a "Judicial Notification" lure. The attack began with a multi-layered infection initiated by a malicious `.SVG` attachment, culminating in the deployment of the AsyncRAT remote access Trojan injected into the legitimate `MSBuild.exe` process for stealthy, persistent control. The incident highlights an effective blending of social engineering (using local judicial context) with advanced evasion techniques to achieve data theft capabilities.
## Incident Details
- **Discovery Date:** During analysis, noted activity around **October 13, 2025** (Date of report).
- **Incident Date:** The lure references **September 11, 2025**.
- **Affected Organization:** Targeted individuals/users in Colombia.
- **Sector:** Likely Government/Legal or individuals interacting with the legal system.
- **Geography:** Colombia (Specifically referencing Bogotá judicial structures).
## Timeline of Events
### Initial Access
- **Date/Time:** Initiated via email delivery, reference date September 11, 2025.
- **Vector:** Malicious email delivered, impersonating a judicial formal complaint/notification from the "17th Municipal Civil Court of the Bogotá Circuit."
- **Details:** The email contained a Lure (.SVG file named "Fiscalia General De La Nacion Juzgado Civil 17.svg"). Opening the SVG file triggered a chain reaction by loading a fake Attorney General’s Office webpage, which prompted the user to "DOWNLOAD DOCUMENT."
### Lateral Movement
- The initial link click triggered the download of an **.HTA** file.
- The **.HTA** executed, dropping and launching a **Visual Basic Script (actualiza.vbs)**.
- The VBScript called a **PowerShell downloader (veooZ.ps1)**.
- PowerShell retrieved an encoded blob as a text file (**Ysemg.txt**).
- The decoded blob was written as **classlibrary3.dll**, which acted as a module loader to fetch the injector and AsyncRAT payload.
- The final payload was injected into the legitimate Windows process **MSBuild.exe** for persistence and defense evasion.
### Data Exfiltration/Impact
- The AsyncRAT payload established command and control (C2) communications over TLS/MsgPack.
- The RAT was capable of gathering sensitive data, including system details (HWID, OS, user privileges), and checking for the presence of cameras.
- Data was collected, packed into MessagePack objects, and exfiltrated over the encrypted C2 channel, potentially in chunks.
### Detection & Response
- **Detection:** The attached `.SVG` file had low detection rates initially, though Quick Heal/Seqrite detected later-stage components.
- **Response Actions:** Not explicitly detailed in the provided summary, but response necessitated identification and eradication of the DLL loader, AsyncRAT payload, and removal of persistence mechanisms (registry keys, scheduled tasks).
## Attack Methodology
- **Initial Access:** Spear-phishing using a convincing, localized official lure (Judicial Notification) delivered via a multi-purpose `.SVG` attachment (T1566.001).
- **Persistence:** Achieved via adding keys under `HKCU\…\Run` and creating scheduled tasks (`schtasks`) triggered on logon (T1547.001, T1053.005).
- **Privilege Escalation:** Not explicitly detailed, but injection into `MSBuild.exe` utilized execution techniques (T1218.005, T1059.001).
- **Defense Evasion:** Heavily utilized by employing common office file types (`.SVG`, `.HTA`, `.VBS`, `.PS1`), obfuscation (Base64, reversed strings), killing monitoring tools (T1562.001), and injecting the final payload into a trusted process (`MSBuild.exe`) (T1055). Also included anti-VM/sandbox checks (T1497).
- **Credential Access:** Not explicitly detailed, but AsyncRAT capabilities often include credential theft.
- **Discovery:** Enumerated running processes (T1057) and collected system information via WMI and registry reads (T1082, T1012).
- **Lateral Movement:** The summary does not detail traditional lateral movement but focuses on internal infection propagation via the execution chain.
- **Collection:** Checked for webcam presence (T1125) and gathered system details.
- **Exfiltration:** Data encrypted using TLS and transmitted over C2, chunked for large messages (T1041).
- **Impact:** Gaining persistent remote access via AsyncRAT, allowing for ongoing surveillance, credential harvesting, and data theft.
## Impact Assessment
- **Financial:** Not explicitly quantified, but associated with incident response costs and potential data loss liability.
- **Data Breach:** Unauthorized access to systems, collection of configuration/system data, and potential for theft of confidential information gathered by the RAT.
- **Operational:** Initial system degradation due to multi-stage execution and potential business disruption depending on the targeted users/systems.
- **Reputational:** Damage related to a successful breach exploiting localized governmental trust mechanisms.
## Indicators of Compromise
- **Network indicators (Defanged):** C2 communications over TLS using MessagePack protocol.
- **File indicators:**
- `.SVG`, `.HTA`, `.VBS` files used in the initial chain.
- `actualiza.vbs`, `veooZ.ps1`, `Ysemg.txt`, `classlibrary3.dll` (loader/injector).
- AsyncRAT payload injected into `MSBuild.exe`.
- MD5 Hashes: `b1ed63ee45ec48b324bf126446fdc888`, `817081c745aa14fcb15d76f029e80e15`, etc.
- **Behavioral indicators:**
- Execution of scripts from embedded file types (SVG, HTA).
- PowerShell downloading encoded data that writes a DLL.
- Process injection into `MSBuild.exe`.
- Creation of new Run keys and scheduled tasks for persistence.
## Response Actions
- **Containment:** Isolating affected endpoints; analysis of registry and task scheduler for persistence mechanisms.
- **Eradication:** Deleting malicious files (`.SVG`, associated scripts, and the injected DLL/payload); terminating malicious processes.
- **Recovery:** Removing newly created persistence entries; restoring system integrity, potentially involving rebuilding heavily compromised systems if the in-memory injection was not fully captured.
## Lessons Learned
- **SVG as an evolving threat:** Traditional perimeter security mechanisms often fail to thoroughly inspect SVG files for embedded script execution logic, making them highly effective for initial access.
- **Layered Defense Failure:** The multi-stage chain (SVG -> HTA -> VBS -> PS -> DLL loader -> RAT) demonstrates attackers' reliance on multiple, diverse techniques to chain execution, necessitating depth in endpoint detection and response (EDR).
- **High-Fidelity Social Engineering:** The use of specific, local judicial details significantly increases the perceived legitimacy of the phishing lure.
## Recommendations
- Implement strict controls or disable handling of embedded scripts within high-risk file types like `.SVG` and `.HTA` at the email gateway and endpoint level unless absolutely necessary for business operations.
- Deploy advanced EDR solutions capable of monitoring process injection techniques (e.g., injection into `MSBuild.exe`), even when performed by obfuscated or trusted-sounding processes.
- Enhance user training focusing specifically on recognizing official correspondence versus spear-phishing lures, emphasizing verification via official communication channels rather than clicking attachment links.
- Regularly audit system persistence locations (Run keys, Scheduled Tasks) for newly suspicious entries.