New SVCReady malware loads from Word doc properties

2022-06-07 22:24

A previously unknown malware loader named SVCReady has been discovered in phishing attacks, featuring an unusual way of loading the malware from Word documents onto compromised machines.

According to a new report by HP, the malware has been under deployment since April 2022, with the developers releasing several updates in May 2022.

The SVCReady malware begins by profiling the system via Registry queries and Windows API calls and sends all gathered information to the C2 server via an HTTP POST request.

The persistence mechanism currently relies upon creating a scheduled task and a new registry key, but due to errors in the implementation, the malware will not launch after a reboot.

TA551 has been linked to various malware operators and even ransomware affiliates, so the relation to SVCReady is currently unclear and could be a distribution partnership.

Since the malware appears to be in an early development phase, testing it via TA551 seems unlikely, so it might be the group's own malware project.

News URL

https://www.bleepingcomputer.com/news/security/new-svcready-malware-loads-from-word-doc-properties/

#malware #word