Watch Out For SVCReady Malware In MS Word Documents!

Please watch out for a new malware called SVCReady that is being embedded in Microsoft Word attachments!

Here is what you need to know about the new SVCReady malware!

 

Watch Out For SVCReady Malware In MS Word Documents!

The HP Threat Research just uncovered a new malware called SVCReady, which they first picked up on 22 April 2022 through HP Wolf Security telemetry.

SVCReady is being distributed in phishing emails with Microsoft Word attachments. On opening the infected Word document, an embedded Visual Basic for Applications (VBA) AutoOpen macro is used to run shellcode stored in the properties of the document.

Splitting the macro from the shellcode is a way to evade security software that would normally detect the malicious code.

Document properties containing shellcode, namely a series of nop instructions as represented by 0x90 values. Credit : HP

The SVCReady malware begins by downloading and loading its payload from the web, and connecting to its Command and Control (C2) server.

It then starts gathering and sending information to the C2 server like :

  • username
  • computer name
  • time zone
  • whether the computer is joined to a domain
  • HKEY_LOCAL_MACHINE\HARDWARE|DESCRIPTION\System registry key
  • running processes
  • installed software

The SVCReady malware also connects to its C2 server every 5 minutes to report its status, send information, receive new instructions, or validate the domain.

Currently, the malware appears to only gather and send information. However, that will change as the malware persists in the system, and is capable of receiving both updates and instructions from the C2 server.

In fact, the HP team observed the SVCReady retrieve and load a Readline stealer payload on an infected computer. It’s a sign of things to come.

The HP team believes that the SVCReady malware is still in early development, with an influx of updates adding features like encrypted C2 communications, and detection evasion.

They also found evidence linking SVCReady to past malware documents by the TA551 (Shatak) group from 2019 and 2020.

SVCReady will eventually be used for more nefarious purposes once it is good and ready. Until then, the malware will stay hidden, lurking and waiting for its master’s commands.

 

How To Avoid SVCReady Malware In MS Word Documents?

The HP team discovered that the malware creates a new registry key, which could serve as a signature for security software to detect it : HKEY_CURRENT_USER\Software\Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}

But until security software are updated to detect SVCReady, the best way to avoid this malware is simple – do NOT open Word document attached to emails!

If you regularly receive Word documents in your emails, please VERIFY with the sender before opening them.

These phishing emails are designed to look legitimate. So be very careful about what you open!

 

Please Support My Work!

Support my work through a bank transfer /  PayPal / credit card!

Name : Adrian Wong
Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp

Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.

He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.

 

Recommended Reading

Go Back To > CybersecurityTech ARP

 

Support Tech ARP!

Please support us by visiting our sponsors, participating in the Tech ARP Forums, or donating to our fund. Thank you!

Leave a ReplyCancel reply