A new wave of phishing attacks has been seen targeting victims with SVCReady malware. “The malware is notable for the unusual way it is delivered to target PCs — using shellcode hidden in the properties of Microsoft Office documents,” stated Patrick Schläpfer, a threat analyst at the Hewlett-Packard Company (HP). SVCReady is claimed to be in its early stages of development, with the malware’s designers updating it several times in the last month. The first signs of this malware appeared on April 22, 2022. Infection chains involve delivering Microsoft Word document attachments with VBA macros to targets through email in order to activate the distribution of malicious payloads. Instead of using PowerShell or MSHTA to retrieve next-stage executables from a remote server, this campaign uses a macro that executes shellcode hidden in the document properties, which then drops the SVCReady malware. The malware has the capacity to gather system information, capture screenshots, run shell commands, download, and execute arbitrary files, in addition to gaining persistence on the infected host via a scheduled process.
As seen in previous incident investigations, once the machines had been infected with SVCReady, RedLine Stealer was delivered as a follow-up payload. HP said it found similarities between the file names of the lure documents and the images contained in the files used to distribute SVCReady to those used by another group known as TA551, Hive0106, or Shathak. Still, it’s unclear if the same threat actor is launching the latest campaign.