Researchers discovered a malware loader distributed via phishing emails with Microsoft Word attachments. The loader, called SVCReady, allows attackers to collect information about infected machines, execute shell commands, and execute arbitrary files.
SVCReady was first seen in April being spread by malicious spam campaigns. The loader is unique in that it relies on an infection chain that takes advantage of shellcode stored in a Word document. It’s a technique not often seen in malware campaigns, researchers said, although it was observed in mid-April by attackers being used to distribute Ursnif malware.
“As in many other malware campaigns, the documents contain Visual Basic for Applications (VBA) AutoOpen macros that are used to execute malicious code. But unlike other Office malware, Document doesn’t use PowerShell or MSHTA to download other payloads from the web,” said HP malware analyst Patrick Schläpfer. in an analysis on Tuesday. “Instead, the VBA macro runs shellcode stored in the document properties, which then drops and runs the SVCReady malware.”
After the shellcode is loaded into a variable and stored in memory before possibly being executed, a dynamic link library (DLL) and rundll32.exe file (which is renamed in a likely attempt to evade detection) are dropped in the %TEMP% directory. When these files are executed, SVCReady is launched.
SVCReady acts as a downloader and has additional functionality to collect data from the infected system, as well as communicate with the command and control (C2) server. The data collected includes system information (username, computer name, time zone, and registry details such as computer manufacturer, BIOS, and firmware). The malware also collects information about running processes and installed software. SVCReady also has several other features, including the ability to take a screenshot, run a shell command, upload a file to the infected client, check if it is running in a virtual machine, and more.
The researchers also observed that the RedLine Stealer was delivered as a follow-up payload after the initial infection with SVCReady during an April 26 campaign; however, they have not observed any tracking malware payloads since then.
“Communication with the C2 server is via HTTP, but the data itself is encrypted using RC4 cipher,” the researchers said. “Interestingly, RC4 encryption was not implemented in the first malware samples we analyzed at the end of April 2022. This suggests that C2 encryption was only added in May and that the software malware is being actively developed.”
The researchers noted several similarities between the decoy images and filenames of the documents used to deliver SVCReady and those used in the TA551 campaigns that were last seen in late January 2022. TA551 is a group that has been around for at least 2016, which has already distributed malware payloads such as Ursnif, IcedID, Qbot and Emotet.
“Comparing the images used in the malicious documents provides no certainty that the same threat actor is behind them, as it is possible that we are seeing the artifacts left by two different attackers using the same tools,” the researchers said. . “However, our results show that similar patterns and potentially document generators are used by the actors behind the TA551 and SVCReady campaigns.”
The malware also has several bugs. While trying to achieve persistence on the system, for example, the attackers tried to implement a feature that copied the malware DLL to the Roaming directory with a unique name. However, it looks like they failed to implement this feature correctly, because rundll32.exe is copied to the Roaming directory instead of the SVCReady DLL. Due to this error, the malware does not start after system reboot.
“SVCReady is under active development,” the researchers said. “We have tracked several changes since the first campaign in April 2022. This, along with the low frequency and low volume of campaigns, suggests that the malware is in the early stages of development.”
Comments are closed.