Security researchers discovered a new malware loader dubbed ‘SVCReady’ in recent phishing attacks. The malware has an atypical way of infecting the compromised device, by loading from Word documents’ properties.
SVCReady stores shellcode in the properties of malicious Word documents and executes it through VBA macro code. Threat actors usually deploy infected Word documents as email attachments.
Researchers believe the malware has been around since April and noticed an influx of updates from its developers in May. This led them to believe that, although SVCReady is still in its early days, it’s likely under heavy development.
Despite the malware’s purported infancy, it boasts several features, including encrypted C2 communications, persistence, data exfiltration, and detection evasion.
According to HP’s research, documents infected with SVCReady contain VBA AutoOpen macros, like other malware campaigns. However, SVCReady doesn’t rely on MSHTA or PowerShell to retrieve further payloads but instead uses shellcode stored in the document’s properties.
After executing the VBA macros, the shellcode drops a DLL into the system’s %TEMP%
directory, then copies rundll32.exe
from Windows’ system directory and renames it, possibly to avoid detection. The shellcode runs the renamed rundll32.exe
with a function name and the copied DLL as arguments. This operation launches SVCReady on the compromised system.
“The DLL started via rundll32.exe acts as a downloader, with additional functionalities for collecting information about the infected system and communicating with a command and control (C2) server,” HP’s security report says. “As soon as the downloader runs, it reports to the C2 server and immediately starts gathering information.”
The newly discovered malware’s capabilities include:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024