Oversized SVG Files Deliver AsyncRAT in Campaign Targeting Colombia's Judicial System
A malware campaign targeting Latin America, primarily Colombia, uses oversized SVG files impersonating the judicial system to deliver AsyncRAT via DLL sideloading.
A recent malware campaign targeting Latin America, primarily Colombia, uses oversized SVG (Scalable Vector Graphics) files to deliver the AsyncRAT remote access trojan. The attack begins with a phishing email impersonating Colombia's judicial system, warning recipients about lawsuits or court summons. The email contains an SVG attachment that, when opened in a browser, renders a fake portal with verification pages and a progress bar, ultimately prompting the download of a password-protected ZIP archive containing a malicious executable.
The SVG files, often over 10 MB in size, are detected by ESET as JS/TrojanDropper.Agent.PSJ. The campaign leverages DLL sideloading, where a legitimate application loads a malicious payload to evade detection. Notably, the entire malicious payload is embedded within the SVG XML itself, eliminating the need for external command-and-control (C2) connections. This self-contained approach makes the attack more stealthy and harder to detect.
AsyncRAT, first spotted in 2019, is a remote access trojan that enables keystroke logging, screen capture, credential theft, and device hijacking. The campaign appears to use AI-generated templates to create unique files for each victim, with randomized data making each sample distinct. ESET telemetry shows spikes in mid-week throughout August, with Colombia hit hardest, suggesting systematic operation.
The technique, known as 'SVG smuggling,' was recently added to the MITRE ATT&CK database. SVG files are written in XML and can carry scripts and interactive elements, making them attractive for abuse. The campaign highlights the evolving sophistication of phishing attacks, combining social engineering with technical obfuscation.
ESET advises vigilance: avoid clicking unsolicited links and attachments, especially those using urgent language. Treat SVG files with suspicion, as no government agency would send such files as email attachments. Combining awareness with robust cybersecurity measures is essential to mitigate such threats.