The Threat Research team at HP has recently released a bulletin detailing their observations of a new malware family they named “SVCReady”. This malware has been seen being widely distributed in spam campaigns since the end of April 2022. This malware is notable for it’s unusual way of being delivered to target devices.
The SVCReady malware is primarily spread to devices by users downloading malicious Microsoft Word document (.doc) attachments on spam and phishing emails. As in many other malware campaigns, the documents contain Visual Basic for Applications (VBA) AutoOpen macros that are used to execute malicious code. But unlike other Office malware, the document does not use PowerShell or MSHTA to download further payloads from the web. Instead, the VBA macro runs shellcode stored in the properties of the document, which then drops and runs SVCReady malware.
When on the device, the SVCReady malware begins collecting information about the infected system and communicating with a command and control (C2) server. Other functionalities of the malware are: • Download a file to the infected client • Take a screenshot • Run a shell command • Check if it is running in a virtual machine • Collect system information (a short and a “normal” version) • Check the USB status, i.e. the number of devices plugged-in • Establish persistence through a scheduled task • Run a file • Run a file using RunPeNative in memory
HP warns that this malware is most likely in early stages of development given that its authors updated the malware several times in May. Once the malware has infected the device it can contact the C2 server and download updates or other malicious files to the device.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.