A previously unknown malware loader called SVCReady has been discovered in phishing attacks that has an unusual method of loading malware from Word documents onto compromised machines.
Specifically, it uses VBA macro code to execute shellcode stored in the properties of a document that arrives as an email attachment.
According to a new report from HP, the malware has been in the works since April 2022, and the developers released several updates in May 2022. This indicates that it is currently under intense development and is probably still in its early stages.
However, it currently supports data mining, persistence, anti-analysis features, and C2 encrypted communications.
SVCReady starts with an email
The infection chain starts with a phishing email containing a malicious .doc attachment.
However, unlike the standard method of using PowerShell or MSHTA via malicious macros to download payloads from remote locations, this campaign uses VBA to execute shellcode hidden in file properties.
As shown below, this code shell is stored in Word document properties that are extracted and executed by macros.
By separating macros from malicious shellcode, threat actors attempt to bypass the security software that would normally detect it.
“Next, the shellcode, located in the document properties, is loaded into a variable. Depending on whether the system architecture is 32-bit or 64-bit, a different shellcode is loaded,” the HP report explains.
The appropriate shellcode is loaded into tino memory, from where it uses the Windows API function “Virtual Protect” to gain executable access rights.
Next, the SetTimer API sends the address of the shellcode and executes it. This action results in the DLL (malware payload) being dropped in the %TEMP% folder.
A copy of “rundll32.exe”, a legitimate Windows binary, is also placed in the same directory under a different name and is eventually exploited to run SVCReady.
New SVCReady malware loader
The SVCReady malware starts by profiling the system through registry queries and Windows API calls and sends all the collected information to the C2 server via an HTTP POST request.
Communication with C2 is encrypted using an RC4 key. HP analysts state that this functionality was added in one of the malware updates in May.
The malware also makes two WMI queries of the host to find out if it is running in a virtual environment, and if it does to escape analysis, it goes to sleep for 30 minutes.
The persistence mechanism currently relies on the creation of a scheduled task and a new registry key, but due to implementation errors, the malware does not launch after a reboot.
The second stage of information gathering starts after all this and includes screenshots, extracting “osinfo” and sending everything to C2.
SVCReady connects to C2 every five minutes to report its status, receive new tasks, send stolen data, or verify domains.
The functions supported by SVCReady at this time are as follows:
• Download a file to the infected client
• Take a screenshot
• Run a shell command
• Check if it runs in the virtual machine or not
• Collect system information (a short and “normal” version)
• Check the USB status, for example, the number of connected devices
• Build sustainability through a planned task
• Run a file
• Run a file in memory using RunPeNative
Finally, malware can also receive additional payloads. HP analysts observed an instance on April 26, 2022, where SVCReady dropped a Readline thief payload on an infected host.
Links to TA551
HP reports seeing links to past TA551 (Shatak) campaigns, such as decoy images used in malicious documents, source URLs used for payloads, etc. Previously, phishing gangs used these domains to host Ursnif and IcedID payloads.
TA551 has been linked to various malware operators and even ransomware affiliates, so the connection to SVCReady is currently unclear and could be a distribution partnership.
However, since the malware appears to be in early development, testing it through the TA551 seems unlikely, so it could be the group’s own malware project.