A new malware loader on the rise.
Hp Threat Research has released a new report detailing a new loader. The researchers have been observing new malicious spam campaigns since the end of April 2022, distributing a previously unknown malware, called SVCReady. The loader is distributed in an uncommon way – via shellcode hidden in the properties of Microsoft Office documents. From what the threat research team has uncovered, it seems that the malware is still in development, with several updates done in May.
A Look into SVCReady Malware Loader
In the analyzed campaign, the attackers sent .doc attachments via email. These documents contain Visual Basic for Applications (VBA) AutoOpen macros needed to execute malicious code. However, the documents don’t use PowerShell or MSHTA to download further payloads from the web. Rather than that, the VBA macro runs shellcode stored in the properties of the document, which then drops and runs SVCReady malware, the report noted.
As for the malware itself, it is capable of collecting system information, such as username, computer name, time zone, and whether the machine is joined to a domain. It also does queries to the Registry, specifically the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System key, for the details about the computer’s manufacturer, BIOS and firmware. Other details SVCReady collects include lists of running processes and installed software. The information gathering is done via Windows API calls rather than Windows Management Instrumentation querier. All collected details are formatted as JSON and sent to the C2 server via an HTTP POST request.
The communication with the command-and-control server is done over HTTP, but the data itself is encrypted via the RC4 cipher. It is also noteworthy that the malware attempts to achieve persistence:
After exfiltrating information about the infected PC, the malware tries to achieve persistence on the system. The malware’s authors probably intended to copy the malware DLL to the Roaming directory, giving it a unique name based on a freshly generated UUID. But it seems they failed to implement this correctly because rundll32.exe is copied to the Roaming directory instead of the SVCReady DLL.
A Follow-Up Malware Also Delivered
Another malware is distributed as a follow-up payload after the initial infection – the RedLine Stealer. “At that time the C2 communication format was not encrypted. It may be that this campaign was a test by SVCReady’s operators. At the time of writing, we have not yet received any further malware payloads since then,” the report concluded.
Other examples of recently discovered malware loaders include ChromeLoader and BumbleBee.