Researchers have observed new malicious spam campaigns spread by a malware family named SVCReady. The attacks have been ongoing since April and use unusual ways of malware delivery via Microsoft Word.
SVCReady, an early-stage threat
According to HP, the developers behind the malware released several updates in May. It seems to be in an early stage, and currently undergoing heavy development.
- It supports various functions such as downloading a file to the infected client, taking a screenshot, checking if it is running in a VM, running a shell command, and gathering system information.
- Additionally, the malware supports anti-analysis features, information exfiltration, encrypted C2 communications, and persistence.
- In one instance, the infected machines delivered RedLine Stealer as a follow-up payload.
The infection chain
The infection chain starts with a phishing email loaded with a malicious .doc attachment. The campaign uses VBA to run shellcode hiding in the file properties.
- The attackers try to bypass security software by splitting the macros from the malicious shell code. Subsequently, the shellcode located in the document properties is loaded inside a variable.
- An appropriate shell code is loaded into memory and Virtual Protect is used to obtain executable access rights. Next, the SetTimer API passes the address of the shellcode and runs it.
- Additionally, a copy of a genuine Windows binary known as rundll32[.]exe is placed inside the same directory with a different name and at last, compromised to run SVCReady.
Besides, researchers have spotted overlaps between the file names of the lure documents and the images included in the files used to spread SVCReady and those used by another group known as TA551.
Conclusion
SVCReady is believed to be in an early development stage that could become a full-fledged threat in the future. Thus, organizations are recommended to deploy anti-phishing solutions to stop it from spreading. Further, deploy reliable anti-malware solutions to detect the malware.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_514851160.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_96124007.jpg)
