Cybercriminals have developed a sophisticated phishing campaign targeting Colombian users through fake judicial notifications, deploying a complex multi-stage malware delivery system that culminates in AsyncRAT infection.
The campaign demonstrates an alarming evolution in social engineering tactics, leveraging legitimate-looking governmental communications to bypass traditional security measures and successfully compromise unsuspecting victims.
The attack campaign employs carefully crafted Spanish-language emails impersonating official correspondence from “Juzgado 17 Civil Municipal del Circuito de Bogotá” (17th Municipal Civil Court of the Bogotá Circuit).
These deceptive messages inform recipients of purported lawsuits filed against them, creating urgency and authenticity through formal legal language and institutional naming conventions.
The malicious emails contain SVG (Scalable Vector Graphics) file attachments named “Fiscalia General De La Nacion Juzgado Civil 17.svg,” which translates to “Attorney General’s Office Civil Court 17.svg” in English.
Upon execution, the SVG file presents victims with a sophisticated fake webpage masquerading as the Attorney General’s Office and Citizen’s Consultation Portal.
The fraudulent interface includes fabricated elements such as judicial information systems and fake consultation registration numbers, enhancing the illusion of legitimacy.
When users attempt to download what appears to be an official document, the system initiates a complex infection chain involving multiple file stages and encoding techniques.
Seqrite analysts identified this malware campaign during their ongoing threat intelligence monitoring activities, detecting the sophisticated attack methodology that employs SVG files as initial attack vectors.
The researchers noted that SVG files have become increasingly popular among cybercriminals due to their ability to embed malicious scripts within XML code structures, often evading detection by traditional security solutions that may not thoroughly scan these file types for harmful content.
Infection Chain and Technical Implementation
The malware’s infection mechanism demonstrates advanced technical sophistication through its multi-stage delivery process.
.webp "Hackers Leverage Judicial Notifications to Deploy Info-Stealer Malware 3")
Once the victim clicks on the malicious SVG file, embedded JavaScript code executes the OpenDocument() function, which performs several critical operations to initiate the attack sequence.
function OpenDocument() {
// Accept base64 encoded embedded data
// Decode it to attacker controlled "HTML" blob
// Create a temporary URL object for that blob
// Open that URL in new tab
}The SVG file contains embedded base64-encoded data that, when decoded, creates an HTML blob displayed in a new browser tab.
This secondary page presents a fake progress bar interface, convincing victims that a legitimate document download is occurring while simultaneously triggering the download of a malicious HTA file named “DOCUMENTO_OFICIAL_JUZGADO.HTA.”
The HTA file serves as the next stage in the infection chain, containing heavily obfuscated code with large blocks of base64-encoded content.
When executed, it decodes and drops a Visual Basic script file called “actualiza.vbs” onto the victim’s system.
This VBS file, after removing extensive junk code designed to evade analysis, executes a PowerShell script contained within an obfuscated variable named “GftsOTSaty.”
The PowerShell component (“veooZ.ps1”) connects to a dpaste domain URL to download an encoded text file called “Ysemg.txt.”
This file undergoes multiple decoding processes, replacing specific character patterns before base64 decoding to produce “classlibrary3.dll,” a .NET assembly that functions as a module loader.
The loader incorporates anti-virtual machine techniques, checking for VirtualBox and VMware-related processes to avoid detection in analysis environments.
The final payload, AsyncRAT, gets injected into the legitimate MSBuild.exe process through sophisticated in-memory injection techniques.
This approach allows the malware to operate within a trusted Windows process, effectively evading detection while maintaining persistence on the infected system.
The AsyncRAT payload provides comprehensive remote access capabilities, including keystroke logging, system information gathering, webcam surveillance, and command-and-control communications through encrypted TLS connections using MessagePack serialization.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
