Researchers have issued a warning on a spam campaign that uses the SVCReady malware to target victims. A new wave of phishing attacks has been seen spreading SVCReady, a previously reported virus.
In a technical write-up, Patrick Schläpfer, a threat analyst at HP, noted, “The malware is interesting for the unconventional method it is transmitted to target PCs — employing shellcode buried in the properties of Microsoft Office documents.”
SVCReady is claimed to be in its early stages of development, with the malware’s designers repeatedly modifying it many times in the previous month. The first signs of life appeared on April 22, 2022.
Infection chains entail delivering Microsoft Word document attachments with VBA macros to targets through email in order to start the delivery of malicious payloads.
Instead of using PowerShell or MSHTA to retrieve next-stage executables from a remote server, this campaign uses a macro that executes shellcode hidden in the document properties, which then drops the SVCReady malware.
The malware has the capacity to gather system information, capture screenshots, run shell commands, and download and execute arbitrary files, in addition to gaining persistence on the infected host via a scheduled process.
On April 26, once the machines had been hacked with SVCReady, RedLine Stealer was delivered as a follow-up payload in one instance.
HP said it found similarities between the file names of the lure documents and the images contained in the files used to distribute SVCReady and those used by another group known as TA551 (aka Hive0106 or Shathak), but it’s not clear if the latest campaign is being carried out by the same threat actor.
“It’s plausible that the artifacts we’re seeing were left by two different attackers using the same tools,” Schläpfer speculated. “However, our findings reveal that the actors behind the TA551 and SVCReady campaigns are using identical templates and possibly document builders.”
Have you enjoyed reading this article? To read more exclusive material from THN, follow us on Facebook. Researchers have issued a warning on a spam campaign that uses the SVCReady malware to target victims.