Security researchers discovered a new malware loader dubbed ‘SVCReady’ in recent phishing attacks. The malware has an atypical way of infecting the compromised device, by loading from Word documents’ properties.
SVCReady stores shellcode in the properties of malicious Word documents and executes it through VBA macro code. Threat actors usually deploy infected Word documents as email attachments.
Researchers believe the malware has been around since April and noticed an influx of updates from its developers in May. This led them to believe that, although SVCReady is still in its early days, it’s likely under heavy development.
Despite the malware’s purported infancy, it boasts several features, including encrypted C2 communications, persistence, data exfiltration, and detection evasion.
According to HP’s research, documents infected with SVCReady contain VBA AutoOpen macros, like other malware campaigns. However, SVCReady doesn’t rely on MSHTA or PowerShell to retrieve further payloads but instead uses shellcode stored in the document’s properties.
After executing the VBA macros, the shellcode drops a DLL into the system’s
%TEMP% directory, then copies
rundll32.exe from Windows’ system directory and renames it, possibly to avoid detection. The shellcode runs the renamed
rundll32.exe with a function name and the copied DLL as arguments. This operation launches SVCReady on the compromised system.
“The DLL started via rundll32.exe acts as a downloader, with additional functionalities for collecting information about the infected system and communicating with a command and control (C2) server,” HP’s security report says. “As soon as the downloader runs, it reports to the C2 server and immediately starts gathering information.”
The newly discovered malware’s capabilities include:
- File download
- Performing screenshots
- Running shell commands
- Virtual machine detection
- Checking the status of USB ports
- Collecting system information (brief and extensive collection)
- Creating a scheduled task to achieve persistence
- Running files
- Running files using RunPeNative in memory
- Retrieving additional payloads from the web