A new phishing campaign using SVCReady, a known malware, has been observed.
“The malware is notable for the unusual way it is delivered to target PCs — using shellcode hidden in the properties of Microsoft Office documents,” Patrick Schläpfer, a threat analyst at HP, said in a technical write-up.
SVCReady is in its nascent development stage, and the attackers are continually updating the malware over the last month. The early signs of activity were picked up on April 22, 2022.
Infection chains comprise sending Microsoft Word document attachments to targets via email that have VBA macros to initiate the deployment of malicious payloads.
But this attack is distinct from other attack methods: the attack instead of planting PowerShell or MSHTA to recover next-stage executables from a remote server, the macro uses shellcode stored in the document properties, which places the SVCReady malware.
.The malware is relentlessly present on the infected system through a scheduled task and the malware can collect system information, capture screenshots, run shell commands and download and execute arbitrary files.
This also included delivering RedLine Stealer as a follow-up payload in one instance on April 26 after the machines were initially compromised with SVCReady.
HP said it identified overlaps between the file names of the lure documents and the images contained in the files used to distribute SVCReady and those employed by another group called TA551 (aka Hive0106 or Shathak), but it’s not immediately clear if the same threat actor is behind the latest campaign.
“It is possible that we are seeing the artifacts left by two different attackers who are using the same tools,” Schläpfer noted. “However, our findings show that similar templates and potentially document builders are being used by the actors behind the TA551 and SVCReady campaigns.”