EXECUTIVE SUMMARY
A set of phishing emails targeted Spanish-speaking recipients using a fake judicial document as the lure. The messages pointed victims to a cloud document preview where an SVG file prompted a ZIP download. The ZIP included a passworded executable that, when run, launched a renamed legitimate program that loaded a malicious DLL from the same folder. That initial step unpacked and launched a multi-stage loader which then pulled in additional files from the archive. The chain led to a remote access tool being installed.
Execution begins when the renamed program runs, and the local malicious DLL is loaded instead of the real one. That DLL starts a second stage which dynamically finds the APIs it needs and checks it is running from the expected folder so it can access other files. An encrypted configuration lists module names shellcode sizes and which DLL to hollow. The loader rebuilds shellcode from chunks on disk then XOR-decrypts and decompresses it before writing it into a target DLL–s code section and jumping to it. The loaded shellcode checks running process names to delay if needed and supports many injection methods such as process hollowing section mapping and thread context hijack. Evasion includes indirect API calls stack spoofing or swapping in a tiny proxy routine and restoring originals and an unhook step that repairs in-memory system DLLs if hooks are found. Persistence is set by flags so the loader can create shortcuts or scheduled tasks.
This campaign shows how simple user actions can trigger complex attacks that hide behind passworded downloads and renamed binaries. Because the loader builds and runs code from disk and memory it is hard to detect with signature checks alone. Defenders should focus on behaviors such as renamed system binaries running from user folders DLLs colocated with executables unexpected LoadLibrary activity changes to .text memory protections and sudden scheduled task or shortcut creation. Monitoring for assembled shellcode markers and outbound calls to dynamic DNS providers used by the loader will also help. Finally, warn users to treat cloud previews and passworded executable downloads with extra caution and keep endpoint telemetry tuned to detect injection and side-loading patterns.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1566.003 | Phishing | Spearphishing via Service |
| Execution | T1574.002 | Hijack Execution Flow | DLL side-loading |
| Execution | T1055.012 | Process Injection | Process Hollowing |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control |
| Command and Control | T1071.004 | Application Layer Protocol | DNS |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/threat-actors-weaponizes-judicial-documents/
https://www.ibm.com/think/x-force/latam-baited-into-delivery-of-purehvnc