SVCReady, a previously unknown malware loader that uses an innovative method of loading malware from Word documents onto victim devices, has been detected in phishing attacks. It executes shellcode placed in the properties of a document that comes on the target as an email attachment using VBA macro code.
According to a recent report from HP, the malware has been in use since April 2022, with additional upgrades released by the creators in May 2022. This signifies that it is still in the early stages of development and is presently under intense development. Information exfiltration, persistence, anti-analysis features, and encrypted C2 connections are already supported.
A phishing email with a malicious .doc attachment starts the infection chain. In contrast to the standard technique of downloading payloads from remote places using PowerShell or MSHTA via malicious macros, this campaign leverages VBA to launch shellcode hidden in the file properties. This shellcode is saved in the Word document’s properties, which are then extracted and executed by the macros. By separating the macros from the malicious shell code, the threat actors hope to avoid detection by security tools.
“Next the shellcode, which is located in the document properties, is loaded into a variable. Different shellcode is loaded depending on if the architecture of the system is 32 bit or 64 bit,” HP’s report explains.
The required shell code is loaded into tino memory, from which it will obtain executable access permissions via the Windows API method “Virtual Protect.” The SetTimer API then transmits the shellcode’s location and runs it. A DLL (malware payload) is dropped into the %TEMP% directory due to this action. A copy of “rundll32.exe,” a legal Windows file, is also stored in the same directory under a different name and is eventually exploited to execute SVCReady.
SVCReady malware profiles the machine using Registry searches and Windows API calls before sending the data to the C2 server through an HTTP POST request. An RC4 key is used to encrypt communication with the C2. According to HP experts, this feature was added in May during one of the malware’s upgrades. The malware also does two WMI queries on the host to see if it’s operating in a virtualized environment, and if it is, it goes into sleep mode for 30 minutes to avoid detection.
The malware’s persistence method now relies on creating a scheduled task and a new registry entry. However, due to implementation issues, the malware will not run after a reboot. After then, the second phase of data collection begins, which entails taking screenshots, extracting “osinfo,” and transmitting everything to C2. Every five minutes, SVCReady communicates to the C2 to report its status, accept new tasks, transfer stolen data, and validate the domain.
At present, SVCReady supports the following functions:
- Take a screenshot
- Download a file to the infected client
- Check if it is running in a virtual machine
- Collect system information (a short and a “normal” version)
- Check the USB status, i.e., the number of devices plugged-in
- Run a shell command
- Run a file
- Establish persistence through a scheduled task
- Run a file using RunPeNative in memory
Lastly, the malware can download more payloads. According to HP experts, SVCReady launched a Readline stealer payload on the compromised host on April 26, 2022. HP claims to have discovered ties to previous TA551 (Shatak) efforts, such as enticing pictures in malicious documents, resource URLs for downloading the payload, etc. The phishing gang formerly used these domains to house Ursnif and IcedID payloads.
Because TA551 has been linked to various malware operators and even ransomware associates, the relationship between it and SVCReady is still unknown, although it might be a distribution collaboration. However, since the malware looks to be in its early stages of development, testing it via TA551 seems doubtful. Therefore, it may be the group’s own malware project.