BianLian Ransomware Spreads via Fake Invoices Embedded with Malicious SVG Files

BianLian-Ransomware-Spreads-via-Fake-Invoices-Embedded-with-Malicious-SVG-Files

Phishing Campaign Targets Companies in Venezuela

Researchers at a prominent cybersecurity firm have uncovered a novel phishing campaign targeting companies in Venezuela, leveraging malicious SVG image files and sophisticated redirection tactics to deploy high-speed AES encryption.

Tactics Employed by the BianLian Ransomware Group

  • The campaign begins with the delivery of emails containing SVG files, masquerading as innocuous office documents.
  • These files contain hidden XML code, allowing them to secretly connect to an external URL.
  • The URL, shortened via the ja.cat service, redirects traffic through compromised Brazilian domains.
  • The URLs employed by the attackers feature a unique 16-digit token system, ultimately delivering the final payload – a Windows program written in the Go language.
According to the researchers, “The malware incorporates an additional layer of stealth by checking for the presence of Wine, a compatibility layer enabling the execution of Windows applications on Linux systems.”

This campaign demonstrates the evolving tactics of the BianLian ransomware group, which has been active since 2022 and has previously targeted critical infrastructure in the United States and Australia.

Previous Campaigns and Recommendations

  • In a previous campaign, the group had impersonated itself via physical letters sent via the US Postal Service, demanding Bitcoin payments.
  • Although that particular campaign was deemed a hoax, the current campaign represents a genuine malware and network intrusion incident.
According to the researchers, “To protect against such threats, we recommend exercising caution when encountering unexpected image files, as they can potentially harbor malicious code.”

Suspicious domains linked to this campaign include:

  • contabilidad.icu
  • getpdfdigital.cloud
  • soportedigital.cloud
  • documentodigital.cloud

These domains should be monitored or blocked immediately to prevent further infection.



About Author

en_USEnglish