New SVCReady Spread Through Malspam Campaign

phishing spam email

Security experts with the threat research branch of HP published their findings on a new strain of malware, dubbed SVCReady. The malware is being spread using malicious spam email campaigns.

The first sighting of SVCReady in the wild took place in late April 2022. The malware was spread through malicious MS Word document files loaded with macros that execute on open. However, unlike most malware that uses macros, SVCReady does not make use of MSHTA or PowerShell commands to grab its payload off the Internet. Instead, the new malware uses another clever trick - executing shellcode that is contained in the file's property fields.

SVCReady drops a DLL file in the temporary folder. After that, the malware copies the system's legitimate rundll32 file into the same directory and renames it. Then the renamed copy of rundll32 is used to execute the malicious DLL file.

The malware appears to be under active development, as it has been updated multiple times since late April and it appears to have the makings of a persistence mechanism, but it's faulty and does not actually achieve persistence in the current state.

SVCReady has been used as an initial payload to deliver additional malware on infected systems, including the RedLine infostealer malware.

June 8, 2022