SVCReady Malware Detection: A New Loader Massively Distributed via Phishing

Meet SVCReady, a new malicious loader on the arena! The novel strain is heavily distributed via phishing campaigns since April 2022, leveraging an unusual infection routine. According to experts, SVCReady relies on shellcode hidden within the properties of the Microsoft Office document allowing it to fly under the radar of security solutions. Since malware is currently under active development, with frequent functionality updates being observed so far, additional sophisticated tricks and features might be added soon to strengthen its capabilities.

Detect SVCReady Malware

Spot the malicious activity related with novel SVCReady loader with a dedicated Sigma rule by our seasoned Threat Bounty developer Kaan Yeniyol. Eager to monetize your threat detection skills? Join our Threat Bounty Program, get your Sigma rules published to the SOC Prime platform, and receive recurrent rewards while contributing to collaborative cyber defense. 

The rule below detects suspicious SVCReady persistence by identifying the associated Scheduled Task. 

Suspicious SVCReady Malware (June 2022) Persistence by Detection of Associated Scheduled Task (via security)

The detection is compatible with 18 SIEM, EDR & XDR formats and aligned with the MITRE ATT&CK® framework v.10, addressing Execution tactic with Scheduled Task/Job (T1053) as the main technique.

To reach the entire collection of Sigma rules to detect the latest cyber threats, hit the Detect & Hunt button below. To explore the additional threat context, including іdeas for Threat Hunting, guidance for Detection Engineering, and links to the latest Cyber Threat Intelligence, click Explore Threat Context Button and immediately drill down to SOC Prime’s search engine for cyber threats. 

Detect & Hunt Explore Threat Context

SVCReady Analysis

According to the inquiry by HP’s threat research team, SVCReady is a previously indocumented malware family that emerged in April 2022. Since then, the new loader is being massively distributed via phishing campaigns.

The infection chain typically starts with a phishing email carring a malicious Microsoft Word documents attached. Yet, instad of of the traditional practice of leveraging PowerShell of MSHTA via malicious macro, the SVCReady maintainers rely on VBA to run shellcode inserted into the .doc file properties. Once shellcode is extracted and executed with macro, it is loaded into the memory to use the “Virtual Protect” Windows API functionality and obtain executable access rights. At the next stage, the SetTimer API executes the shellcode which ends up in a malware payload being dropped to the targeted instance. 

Upon infection, SVCReady loader is able to perform a long list of malicious actions, including dowloading files to the compromised client, taking screenshots, running shell commands, establishing persistence through a scheduled task, running files, and delivering additional payloads to the infected environment. HP researchers identified several cases of RedLine stealer being dropped by SVCReady in April 2022. 

TA551 (Shatak) collective is suspected to operate the SVCReady campaigns since HP experts observe a major overlap in tactics. Specifically, research points to the image lures, resource URLs, and other details used by SVCReady and associated with TA551 routines observed in the past. However, the exact attribution of the campaigns in currently unclear. 

Tap into the power of collaborative cyber defense and benefit from the world’s most advanced Detection as Code platform including the access to 190K+ curated detection algorithms available for 25+ SIEM, EDR & XDR solutions.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts