blog

New Malware Uses Word Documents To Get On Your System

Written by Securafy Team | Jul 6, 2022 3:00:00 PM

Researchers at HP have discovered a new malware loader that they've dubbed SVCReady.  While new malware strains are common, this one is distinct for a couple of different reasons.

Like many malicious programs, this spreads primarily via phishing email campaigns.  One way that this new strain differs however, is the fact that the malware is loaded onto the target machine via specially crafted Word documents attached to the email.

The idea is that these Word documents leverage VBGA macro code to execute shellcode that's stored in the properties of the Word document.  That's both new and dangerous.

The HP researchers found evidence that tracks the malicious code back to its origin in April of 2022, with the developers releasing several updates just one month later in May.  The number of updates is suggestive of a large, well-organized team that is committed to continued development of their new toy.

Currently, SVCReady boasts the following capabilities:

  • Download a file to the infected client
  • Take a screenshot
  • Run a shell command
  • Check if it is running in a virtual machine
  • Collect system information (a short and a "normal" version)
  • Check the USB status, i.e., the number of devices plugged-in
  • Establish persistence through a scheduled task
  • Run a file
  • And run a file using RunPeNative in memory

In addition to these capabilities, SVCReady can also fetch additional payloads from the command-and-control server.  While the bullet points above are dangerous in their way, it is the last, recently added capability that makes the new malware strain especially dangerous.  It enables the hackers to tailor the level of destruction for each infected target.

Worse, the new strain contains bits of code that lead the HP researchers to conclude that the threat actor TA551 may be behind it.  This is a large, well-organized group with ties to multiple other hacking organizations and ransomware affiliates. That implies that SVCReady may soon become much more widely available than it is now.

You will want to be sure this one stays on your radar.