Researchers at WatchGuard have identified a new phishing campaign targeting companies in Venezuela. Using malicious SVG image files and clever redirection tricks, the BianLian ransomware group is bypassing traditional security to deploy high-speed AES encryption.
Companies across Venezuela are currently being targeted by a digital trap that uses everyday office images to bypass security. Researchers at the firm WatchGuard recently identified a wave of malicious files being downloaded by unsuspecting victims, with almost all of the activity concentrated in Venezuela. The attack begins with a simple phishing email containing an attachment that appears to be a routine invoice or budget.
How a Simple Image Becomes a Threat
We usually trust images more than links, which is exactly what these attackers are counting on. The emails contain SVG files, a common format for logos and graphics, with filenames written in Spanish to look legitimate. While these seem like pictures, they actually contain hidden XML code. Researchers noted that when a person opens the file, it secretly connects to an external URL to download a harmful ‘artifact’ onto the system.
As they probed further, researchers found that this campaign uses a clever redirection trick to stay under the radar. By using the ja.cat service to shorten links, the attackers redirect traffic through compromised Brazilian domains.
These links typically use a specific 16-digit token system to deliver the final payload, which is a Windows programme written in the Go language, and is designed to be incredibly sneaky. It even checks for a tool called Wine to see if it is being watched by security experts and monitors when a computer is ‘suspended’ to carry out its work while defences are down. The malware also scans for specific internal settings like GODEBUG and uses high-speed AES encryption to lock up files faster than ever.
Links to the BianLian Ransomware Group
WatchGuard’s research, which was shared with Hackread.com, suggests these tactics match the workings of a notorious group of hackers called BianLian. This group has been active since 2022 and previously targeted critical infrastructure in the US and Australia.
Interestingly, in March last year, Hackread.com reported on a peculiar trend where executives received physical letters via the US Postal Service from scammers who actually impersonated BianLian to demand Bitcoin via snail mail. While that older campaign turned out to be a hoax, the current digital attack in Venezuela involves actual malware and network intrusions. It is worth noting that a similar campaign recently hit Colombia using fake judicial portals, proving that these groups are constantly shifting their sights.
Protecting Your Workplace
According to researchers, this case is clear proof that “even seemingly harmless file types like SVGs can be used to deliver serious threats.” They suggest treating any unexpected image with caution to stay safe online. Also, researchers have identified several suspicious domains linked to this campaign that should be monitored or blocked immediately:
contabilidad.icugetpdfdigital.cloudsoportedigital.clouddocumentodigital.cloud
