Researchers at HP have discovered a new malware loader that they’ve dubbed SVCReady. While new malware strains are common, this one is distinct for a couple of different reasons.
Like many malicious programs, this spreads primarily via phishing email campaigns. One way that this new strain differs however, is the fact that the malware is loaded onto the target machine via specially crafted Word documents attached to the email.
The idea is that these Word documents leverage VBGA macro code to execute shellcode that’s stored in the properties of the Word document. That’s both new and dangerous.
The HP researchers found evidence that tracks the malicious code back to its origin in April of 2022, with the developers releasing several updates just one month later in May. The number of updates is suggestive of a large, well-organized team that is committed to continued development of their new toy.
Currently, SVCReady boasts the following capabilities:
- Download a file to the infected client
- Take a screenshot
- Run a shell command
- Check if it is running in a virtual machine
- Collect system information (a short and a “normal” version)
- Check the USB status, i.e., the number of devices plugged-in
- Establish persistence through a scheduled task
- Run a file
- And run a file using RunPeNative in memory
In addition to these capabilities, SVCReady can also fetch additional payloads from the command-and-control server. While the bullet points above are dangerous in their way, it is the last, recently added capability that makes the new malware strain especially dangerous. It enables the hackers to tailor the level of destruction for each infected target.
Worse, the new strain contains bits of code that lead the HP researchers to conclude that the threat actor TA551 may be behind it. This is a large, well-organized group with ties to multiple other hacking organizations and ransomware affiliates. That implies that SVCReady may soon become much more widely available than it is now.
You will want to be sure this one stays on your radar.
#atcus #cybersecurity #cybersecurityinla #cybersecurityexpertsinla #itsupportinla #manageditservices #itservices #torrance #Itservicesintorrance
The Small Business Cyber Crisis
Urgent And Critical Protections Every Business Must Have In Place NOW To Protect Their Bank Accounts, Client Data, Confidential Information And Reputation From The Tsunami Of Cybercrime.
Complete The Form Below To Claim Your FREE Urgent and Critical Protections Every Business Must Have In Place NOW!
Important! We hate spam as much (or more!) than you and promise to NEVER rent, share, or abuse your e-mail address and contact information in any way.