Researchers Warn of Spam Campaign Targeting Victims with SVCReady Malware


A new wave of phishing campaigns has been observed spreading a previously documented malware called Ready for SVC

“The malware is notable for the unusual way it is delivered to target PCs — using shell code hidden in the properties of Microsoft Office documents,” said Patrick Schläpfer, a threat analyst at HP. said in a technical report.

SVCReady is said to be in an early stage of development, with the authors iteratively updating the malware several times last month. The first signs of activity date from April 22, 2022.

Infection chains involve sending Microsoft Word document attachments to targets via email that contain VBA macros to trigger the deployment of malicious payloads.

But what sets this campaign apart is that instead of using PowerShell or MSHTA to fetch the next stage executables from a remote server, the macro runs shell code stored in the document propertieswhich then removes the SVCReady malware.

In addition to achieving persistence on the infected host through a scheduled task, the malware provides the ability to collect system information, take screenshots, execute shell commands, and download and run arbitrary files.

This also included delivering RedLine Stealer as a follow-up batch in one go on April 26 after the machines were initially compromised with SVCReady.

HP said it has identified overlaps between the filenames of the decoy documents and the images in the files used to distribute SVCReady and those of another group called TA551 (aka Hive0106 or Shathak), but it’s not immediately clear whether the same threat actor is behind the latest campaign.

“We may see the artifacts left behind by two different attackers using the same tools,” Schläpfer noted. “However, our findings show that similar templates and potentially document builders are being used by the actors behind the TA551 and SVCReady campaigns.”