Researchers have uncovered a malware loader being distributed via phishing emails with Microsoft Word attachments. The loader, called SVCReady, allows attackers to gather information on infected machines, run shell commands and execute arbitrary files.
SVCReady was first seen in April being spread by malicious spam campaigns. The loader is unique in that it relies on an infection chain leveraging shellcode stored in a Word document. This is a technique that is not often seen in malware campaigns, said researchers, although it was observed in mid-April by attackers being used to distribute the Ursnif malware.
“As in many other malware campaigns, the documents contain Visual Basic for Applications (VBA) AutoOpen macros that are used to execute malicious code. But unlike other Office malware, the document does not use PowerShell or MSHTA to download further payloads from the web,” said Patrick Schläpfer, malware analyst with HP in a Tuesday analysis. “Instead, the VBA macro runs shellcode stored in the properties of the document, which then drops and runs SVCReady malware.”
After the shellcode is loaded into a variable and stored in memory before eventually being executed, a dynamic link library (DLL) and a rundll32.exe file (which is renamed in a likely attempt to evade detection) are dropped into the %TEMP% directory. When these files are run, SVCReady is launched.
SVCReady acts as a downloader and has additional functionalities for collecting data on the infected system, as well as communicating with the command-and-control (C2) server. The data gathered includes system information (username, computer name, time zone, and registry details like the computer’s manufacturer, BIOS and firmware). The malware also collects information about running processes and installed software. SVCReady also has several other capabilities, including the ability to take a screenshot, run a shell command, download a file to the infected client, check if it is running in a virtual machine and more.
Researchers also observed the RedLine Stealer being delivered as a follow-up payload after the initial infection with SVCReady in an April 26 campaign; however, they have not observed any follow-up malware payloads since then.
“Communication with the C2 server occurs via HTTP, but the data itself is encrypted using the RC4 cipher,” said researchers. “Interestingly, RC4 encryption was not implemented in the first malware samples we analyzed at the end of April 2022. This suggests that the C2 encryption was only added during May and that the malware is being actively developed.”
Researchers noted several similarities between both the lure images and the file names of the documents used to deliver SVCReady and those used in TA551 campaigns that were last seen at the end of January 2022. TA551 is a group that has been around since at least 2016, which has previously distributed malware payloads such as Ursnif, IcedID, Qbot and Emotet.
“Comparing the images used in malware documents provides no certainty that the same threat actor is behind them, since it is possible that we are seeing the artifacts left by two different attackers who are using the same tools,” said researchers. “However, our findings show that similar templates and potentially document builders are being used by the actors behind the TA551 and SVCReady campaigns.”
The malware also has several bugs. While trying to achieve persistence on the system, for instance, the attackers tried to implement a feature that copied the malware DLL into the Roaming directory with a unique name. However, it appears they failed to implement this feature correctly, because rundll32.exe is copied to the Roaming directory instead of the SVCReady DLL. Because of this error, the malware does not start up after the system is rebooted.
“SVCReady is under active development,” said researchers. “We have tracked several changes since the first campaign in April 2022. This, as well as the low frequency and volume of the campaigns, suggests that the malware is in the early stages of development.”