EXECUTIVE SUMMARY
A phishing campaign uses a SVG. The SVG contains JavaScript that decodes an embedded base64 blob and opens a fake document viewer in the browser. That viewer forces a download of an HTA file which, when executed, drops a Visual Basic script. The VBS writes and runs an obfuscated PowerShell downloader that retrieves an encoded text blob and decodes it into a .NET assembly. That loader fetches an injector and the final RAT then performs an in-memory injection into a trusted Windows process to achieve stealthy execution.
The attack chains benign file types and native scripting to move from an image to an in-memory implant while keeping on-disk traces minimal. The SVG–s onclick handler builds an HTML blob which forces an HTA download. The HTA hides a base64 segment that becomes actualiza.vbs. The VBS writes a confusing PowerShell string which downloads a text file that, after simple character substitution and base64 decoding, yields classlibrary3.dll. That DLL acts as a loader and decoder, reconstructing a second .NET component that serves as an injector. The injector allocates memory and injects AsyncRAT into a system process. The RAT contains anti-VM and anti-analysis checks, persistence options (run key or scheduled task), process-killing routines, data collection, and an encrypted C2 channel.
This campaign shows how text-based image formats and basic web scripting can be repurposed into a reliable multi-stage installer that evades many static checks. By distributing functionality across SVG, HTML blob, HTA, VBS, PowerShell, and small .NET modules, each stage appears less suspicious while the final RAT runs inside a legitimate process for stealth. Detection at initial stages was limited, underlining the risk posed by client-side blobs and encoded payload streams. Expect more campaigns that chain everyday file types into loader sequences that in-memory execution and minimal obvious artifacts.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1218.005 | Signed Binary Proxy Execution | mshta/HTA execution |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys |
| Persistence | T1053.005 | Scheduled Task | Scheduled Task on logon |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or kill security/monitoring tools |
| Defense Evasion | T1055 | Process Injection | – |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion | – |
| Discovery | T1057 | Process Discovery | – |
| Discovery | T1082 | System Information Discovery | – |
| Discovery | T1012 | Query Registry | – |
| Collection | T1125 | Video Capture | – |
| Command and Control | T1071 | Application Layer Protocol | – |
| Command and Control | T1105 | Ingress Tool Transfer | – |
| Command and Control | T1543 | Create or Modify System Process | – |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
| Impact | T1070 | Indicator Removal | – |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/svg-smuggling-fake-colombian-judicial-lure-deploys-asyncrat-via-malicious-hta-file/
https://www.seqrite.com/blog/judicial-notification-phish-colombia-svg-asyncrat/