BianLian Ransomware Spreads via Fake Invoice SVG Images in New Attacks

Summary

WatchGuard researchers identified a new phishing campaign by the BianLian ransomware group targeting Venezuelan companies using fake invoice SVG files containing hidden XML code. The attacks leverage compromised Brazilian domains and ja.cat URL shortening to deliver a Go-based malware payload that checks for analysis tools and uses high-speed AES encryption. The campaign reflects BianLian's continued evolution since 2022, with similar tactics recently observed in Colombia using fake judicial portals.

Full text

Security Cyber Crime Malware Phishing ScamBianLian Ransomware Spreads via Fake Invoice SVG Images in New AttacksbyDeeba AhmedMarch 27, 20262 minute read Researchers at WatchGuard have identified a new phishing campaign targeting companies in Venezuela. Using malicious SVG image files and clever redirection tricks, the BianLian ransomware group is bypassing traditional security to deploy high-speed AES encryption. Companies across Venezuela are currently being targeted by a digital trap that uses everyday office images to bypass security. Researchers at the firm WatchGuard recently identified a wave of malicious files being downloaded by unsuspecting victims, with almost all of the activity concentrated in Venezuela. The attack begins with a simple phishing email containing an attachment that appears to be a routine invoice or budget. How a Simple Image Becomes a Threat We usually trust images more than links, which is exactly what these attackers are counting on. The emails contain SVG files, a common format for logos and graphics, with filenames written in Spanish to look legitimate. While these seem like pictures, they actually contain hidden XML code. Researchers noted that when a person opens the file, it secretly connects to an external URL to download a harmful ‘artifact’ onto the system. As they probed further, researchers found that this campaign uses a clever redirection trick to stay under the radar. By using the ja.cat service to shorten links, the attackers redirect traffic through compromised Brazilian domains. These links typically use a specific 16-digit token system to deliver the final payload, which is a Windows programme written in the Go language, and is designed to be incredibly sneaky. It even checks for a tool called Wine to see if it is being watched by security experts and monitors when a computer is ‘suspended’ to carry out its work while defences are down. The malware also scans for specific internal settings like GODEBUG and uses high-speed AES encryption to lock up files faster than ever. Malicious SVG file sample (Source: WatchGuard) Links to the BianLian Ransomware Group WatchGuard’s research, which was shared with Hackread.com, suggests these tactics match the workings of a notorious group of hackers called BianLian. This group has been active since 2022 and previously targeted critical infrastructure in the US and Australia. Interestingly, in March last year, Hackread.com reported on a peculiar trend where executives received physical letters via the US Postal Service from scammers who actually impersonated BianLian to demand Bitcoin via snail mail. While that older campaign turned out to be a hoax, the current digital attack in Venezuela involves actual malware and network intrusions. It is worth noting that a similar campaign recently hit Colombia using fake judicial portals, proving that these groups are constantly shifting their sights. Protecting Your Workplace According to researchers, this case is clear proof that “even seemingly harmless file types like SVGs can be used to deliver serious threats.” They suggest treating any unexpected image with caution to stay safe online. Also, researchers have identified several suspicious domains linked to this campaign that should be monitored or blocked immediately: contabilidad.icu getpdfdigital.cloud soportedigital.cloud documentodigital.cloud Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts BianLianCyber AttackCybersecurityInvoiceMalwareRansomwareSVGVenezuela Leave a Reply Cancel reply View Comments (0) Related Posts Malware Security Email titled “My New Photo ;)” actually Contains Malware Email titled “My New Photo ;)” actually Contain Malware – A .Zip file has an attachment Supposedly containing the… byWaqas Security Android Millions of Android Devices At Risk of Man-in-the-disk Attack Thanks to Ignorant App Developers At Defcon 2018, we have so far witnessed many innovative forms of compromising… byWaqas Security Leaks Sensitive data of cyber security firm & other businesses leaked online Other than the cyber security firm, the leaked data belongs to universities, an insurance firm, non-profit, and public limited firms. bySudais Asif Security Flaws in 2 famous WordPress plugins put millions of sites at risk WordPress (WP) is one of the most popular content management systems (CMS) on the planet... bySudais Asif

Indicators of Compromise

• domain — contabilidad.icu
• domain — getpdfdigital.cloud
• domain — soportedigital.cloud
• domain — documentodigital.cloud
• malware — BianLian