SVCReady Malware Loader Uses Microsoft Office Documents for Attack

While studying phishing attacks, HP researchers discovered a previously unknown SVCReady malware loader that features an unusual way of downloading malware to compromised machines – through Word documents.

Experts write that SVCReady uses VBA macros to execute shellcode stored in document properties, and the victim’s documents themselves are usually received as attachments in emails.

Apparently, the malware is currently in development, as it was first noticed in April 2022, and in May the author of the malware released several updates at once.

Let me remind you that we also talked about the fact that Raspberry Robin Malware Has Worm Features and Abuses Windows Installer.

The SVCReady infection chain begins with the victim receiving a phishing email with a malicious .doc attachment. However, in this case, instead of using PowerShell or MSHTA (via malicious macros) to load the payload, VBA is used to run the shellcode hidden in the file’s properties.

SVCReady malware loader

The researchers note that by separating macros and malicious shellcode, attackers are trying to bypass security solutions that are usually able to detect such attacks.

SVCReady begins its activity in the system by compiling a system profile using registry queries and Windows API calls, and then sends the collected information to the management server (using a POST request). Communication with C&C is encrypted using the RC4 key, and this feature was added in May, during one of the recent malware updates.

SVCReady also makes two WMI queries on the host to see if it’s running on a virtual machine. If the answer is yes, the malware goes into sleep mode for 30 minutes to avoid analysis.

In addition, the author of SVCReady tried to implement a sticking mechanism in the system (by creating a scheduled task and a new registry key), but so far the malware does not start after a reboot due to errors in the code.

SVCReady malware loader

When the preliminary stages of the attack are passed, the collection of information begins, including the creation of screenshots, the extraction of osinfo, and the sending of the collected data to the command-and-control server. SVCReady connects to the C&C server every five minutes to report its status, receive new jobs, transfer stolen information, or check the domain.

SVCReady currently supports the following features:

  1. upload the file to the infected client;
  2. take a screenshot;
  3. run shell command;
  4. check if it is running on a virtual machine;
  5. collect system information (quick or “normal” data collection);
  6. check the USB status, that is, find out the number of connected devices;
  7. gain a foothold in the system using a scheduled task;
  8. run file;
  9. run the file using RunPeNative in memory.

In addition, SVCReady is capable of receiving additional payloads. For example, HP analysts observed how on April 26, 2022, SVCReady deployed a Readline Stealer malware payload on an infected host.

HP experts report that SVCReady resembles hack group TA551 (aka Hive0106 or Shatak) past campaigns, including decoy images used in malicious documents, resource URLs for receiving payloads, and so on. Previously, this phishing group used the same domains to host Ursnif and IcedID payloads.

Perhaps these are just artifacts left by different attackers using the same tools. However, our research shows that similar templates, and likely document builders, are used by TA551 and SVCReady campaign operators.the experts write.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.