Subscribe
About
  • Home
  • /
  • Security
  • /
  • Malware loader infects users via malicious docs

Malware loader infects users via malicious docs

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 08 Jun 2022

A previously documented malware loader dubbed SVCReady has been discovered in phishing attacks, and is using an unusual way of loading the malware from Word documents onto compromised computers.

It employs VBA macro code to execute shellcode stored in the properties of a document that arrives on the victim’s machine as an email attachment, Patrick Schläpfer, a malware analyst at HP, said in a recent report.

According to HP, SVCReady is said to be in its early stage of development, with its authors iteratively updating the malware several times last month. Its first signs of activity date back to late April this year.

However, despite being relatively new, it already supports information exfiltration, persistence, anti-analysis features, and encrypted C2 communications.

The infection chain

The infection chain starts with a phishing email containing a malicious .doc attachment.

However, instead of the usual practice of using PowerShell or MSHTA through malicious macros to download payloads from remote locations, this threat employs VBA to run shellcode hidden in the file properties, which is then extracted and executed by the macros. This is done in an attempt by the malware’s authors to evade security nets.

Schläpfer says the next step involves the shellcode, which is located in the document properties, being loaded into a variable, which then drops and runs SVCReady malware. “Different shellcode is loaded depending on if the architecture of the system is 32 bit or 64 bit.”

What it does

As for the threat itself, it is capable of collecting system information, including username, computer name, time zone, and whether the machine is connected to a domain.

In addition, it conducts queries to the registry, to gather details about the computer’s manufacturer, BIOS and firmware, and collects lists of running processes and installed software. All information gathering is done through Windows API calls rather than Windows Management Instrumentation querier.

Communication with the command-and-control server is done over HTTP, and is encrypted using an RC4 key. HP's researchers added that this function was added in May during one of the malware's updates.

Achieving persistence

It is also worth noting that once it has exfiltrated information about the infected machine, SVCReady attempts to achieve persistence on the system.

“The malware’s authors probably intended to copy the malware DLL to the Roaming directory, giving it a unique name based on a freshly generated UUID,” explained Schläpfer.

However, he said it appears they failed to implement this correctly because rundll32.exe is copied to the Roaming directory instead of the SVCReady DLL.

“The malware creates a scheduled task called RecoveryExTask that runs the file copied to Roaming with rundll32.exe and a function name when the system starts.”

However, due to the error, the malware does not start after the system is rebooted.

Multiple functions

The functions that the malware currently supports, include downloading a file to the infected machine, taking a screenshot, running a shell command, and checking to see if it is running in a virtual machine.

In addition, it can collect system information, check the number of USB devices plugged in, establish persistence, and run files.

He says HP has seen links to past TA551 campaigns such as lure images used in the malicious documents, resource URLs used for fetching the payload, and suchlike. However, the direct relation to SVCReady is not known.

Share