While studying phishing attacks, HP researchers discovered a previously unknown SVCReady malware loader that features an unusual way of downloading malware to compromised machines via Word documents. Experts write that SVCReady uses VBA macros to execute shellcode stored in document properties, and the victim’s documents themselves are usually received as attachments in emails.
Apparently, the malware is currently in development, as it was first noticed in April 2022, and in May the author of the malware released several updates at once.
The infection chain begins with the victim receiving a phishing email with a malicious .doc attachment. However, in this case, instead of using PowerShell or MSHTA (via malicious macros) to load the payload, VBA is used to run the shellcode hidden in the file’s properties.
The researchers note that by separating macros and malicious shellcode, attackers are trying to bypass security solutions that are usually able to detect such attacks.
SVCReady begins its activity in the system by compiling a system profile using registry queries and Windows API calls, and then sends the collected information to the management server (using a POST request). Communication with C&C is encrypted with the RC4 key and this feature was added in May during one of the recent malware updates.
SVCReady also makes two WMI queries on the host to see if it’s running on a virtual machine. If the answer is yes, the malware goes into sleep mode for 30 minutes to avoid analysis.
In addition, the author of SVCReady tried to implement a sticking mechanism in the system (by creating a scheduled task and a new registry key), but so far the malware does not start after a reboot due to errors in the code.
When the preliminary stages of the attack are passed, the collection of information begins, including the creation of screenshots, the extraction of osinfo, and the sending of the collected data to the command and control server. SVCReady connects to the C&C server every five minutes to report its status, receive new jobs, transfer stolen information, or check the domain.
SVCReady currently supports the following features:
- upload the file to the infected client;
- take a screenshot;
- run shell command;
- check if it is running on a virtual machine;
- collect system information (quick or “normal” data collection);
- check the USB status, that is, find out the number of connected devices;
- gain a foothold in the system using a scheduled task;
- run file;
- run the file with RunPeNative in memory.
In addition, SVCReady is capable of receiving additional payloads. For example, HP analysts observed how on April 26, 2022, SVCReady deployed a Readline Stealer malware payload on an infected host.
HP reports that SVCReady bears a resemblance to past campaigns by the hack group TA551 (aka Hive0106 or Shatak). Including: decoy images used in malicious documents, resource URLs for receiving payloads, and so on. Previously, this phishing group used the same domains to host Ursnif and IcedID payloads.
“Perhaps these are just artifacts left by different attackers using the same tools,” the experts write. “However, our research shows that similar templates, and likely document builders, are used by TA551 and SVCReady campaign operators.”