Search This Blog

Powered by Blogger.

Blog Archive

Labels

SVCReady: A New Loader Gets Ready

HP said that it has noted overlaps between SVCReady and TA551.

 

Recently, a team of researchers has found a brand new wave of phishing campaigns spreading a previously documented malware family called SVCReady. 

Based on HP Wolf Security telemetry, SVCReady which is in its early stage of development, has been in the light of cyber crimes since the end of April 2022, with the authors iteratively updating the malware several times last month. 

"The malware is notable for the unusual way it is delivered to target PCs — using shellcode hidden in the properties of Microsoft Office documents," Patrick Schläpfer, a threat analyst at HP, said in a technical write-up. 

The malware is known for its unconventional way of targeting PCs- using shellcode hidden in the properties of Microsoft Office documents instead of PowerShell or MSHTA. 

The attackers send Microsoft Word document attachments to targets via email that contain Visual Basic for Applications (VBA) AutoOpen macros designed to execute the deployment of malicious payloads. 

After getting a command in the system, the malware tries to achieve persistence on the system. Following the goal the malicious actors copy the malware DLL to the Roaming directory, giving it a unique name based on a freshly generated universally unique identifier (UUID). 
Further, the malware creates a scheduled task called RecoveryExTask that runs the file copied to Roaming with rundll32.exe. 

The malware has the ability to capture systems information, capture screenshots, run shell commands, and download and execute arbitrary files. Reports also indicated that there are possibilities of malware having links with TA551. 

Additionally, HP said that it has noted overlaps between SVCReady and TA551 (aka Hive0106 or Shathak) malware, however, at present it cannot be confirmed if the same threat actor is behind the latest campaign. 

"It is possible that we are seeing the artifacts left by two different attackers who are using the same tools. However, our findings show that similar templates and potentially document builders are being used by the actors behind the TA551 and SVCReady campaigns,” Schläpfer noted.
Share it:

Cyber Attacks

Cyber Threats

interwork war

Phishing and Spam

SVCReady