Researchers have monitored spam attacks spread by a new malware variant called SVCReady. The campaign has been operating since April, utilising an unorthodox malware delivery method via MS Word.
According to the researchers, the operators behind it deployed numerous updates in May and noticed that the malware appears to be in the development stage and is undergoing alterations and modifications.
The newly discovered malware supports several functions such as taking a screenshot, downloading a file to the impacted client, gathering system information, reviewing if it is running in a VM, and operating shell commands. In addition, the malware sports an information exfiltration function, anti-analysis features, encrypted command-and-control communications, and persistence. In one scenario, the infected device of the SVCReady has delivered the RedLine Stealer as a follow-up payload.
The infection chain of SVCReady initiates with a phishing email that contains a malicious [.]doc attachment. The attack also uses a VBA to operate shellcode disguised in the file properties.
Subsequently, the malware operators will attempt to bypass security software by splitting the macros from the compromised shell code. The malware inside a variable will then load the shellcode in the document properties.
However, a corresponding shell code is loaded into memory, and the malware will use Virtual Protect to acquire executable access privileges. Next, the “SetTimer” API will disseminate the address of the shell code and execute it.
Moreover, a copy of an authentic Windows binary coded as rundll32[.]exe is loaded inside the identical directory with a different name. Lastly, the compromised device will begin to operate the SVCReady.
The researchers have also identified multiple overlapping details between the file names of the bait document and the images included in the files utilised to distribute SVCReady. This information is also included and used by another hacking group called TA551.
Cybersecurity experts claimed that SVCReady is an in-development malware that could soon evolve into a full-grown threat. Organisations are suggested to launch anti-phishing services to obstruct these threats from spreading. Furthermore, companies should also implement intelligent anti-malware solutions to spot these threats.