In a recent and alarming cybersecurity development, a phishing campaign has been uncovered that utilizes an unconventional and sophisticated method to deceive users. The attackers are leveraging Scalable Vector Graphics (SVG) files as the primary vector for their attacks. SVG is an XML-based vector graphics format that can be scripted, which is a key component of the attack’s success. These malicious SVG files are being distributed via email and are cleverly designed to impersonate official portals of the Colombian judicial system’s Office of the Attorney General. When a user opens the file, an embedded JavaScript payload is executed, which then decodes a Base64-encoded HTML phishing page.
The fake phishing page that users are redirected to is highly deceptive. It presents a simulated government document download, complete with a realistic-looking progress bar. While the user is focused on this fake download, a ZIP archive is being stealthily downloaded in the background. This tactic is particularly effective because it uses distraction to hide the true, malicious action taking place. A ZIP file is a common file archive format that can contain various types of files, including malware. While the specific nature of the ZIP file was not disclosed, this method of delivering a secondary payload is a hallmark of sophisticated cyber-attacks.
A key element of this campaign’s success is its ability to evade traditional cybersecurity measures.
The SVG files, as reported by VirusTotal, have remained undetected by numerous antivirus engines. This evasion is achieved through a combination of techniques, including obfuscation, polymorphism, and the inclusion of large amounts of junk code. Obfuscation makes the code difficult for security analysts and automated systems to understand, while polymorphism allows the malware to change its code with each infection, making signature-based detection ineffective. The junk code further confuses static analysis tools, allowing the malicious payload to slip through undetected.
In a separate but equally concerning trend, cybersecurity researchers have also identified a new campaign targeting Apple macOS users with an information-stealing malware known as Atomic macOS Stealer (AMOS). The attackers are luring users by offering “cracked” versions of legitimate software on dubious websites. When users attempt to download and install this pirated software, they are tricked into executing malicious commands in their Terminal application. AMOS is a particularly dangerous form of infostealer malware because it is designed to steal a wide range of sensitive data, including credentials, browser data, cryptocurrency wallets, and even chat logs and files from common folders.
The AMOS attack chain is notable for its ability to bypass Apple’s built-in security features, such as Gatekeeper.
Gatekeeper is a macOS technology that checks for a developer’s digital signature and Apple’s notarization to ensure an application is free of known malware before allowing it to run. By tricking users into manually running commands in the Terminal, the attackers circumvent these protections entirely. This highlights a growing trend where attackers are not only exploiting technical vulnerabilities but are also leveraging social engineering to manipulate users into taking actions that compromise their own security, proving that even robust security measures can be defeated by human error.
Reference:
