Cybercriminals are using a previously unknown malware loader delivered via phishing attacks. Details about the threat and its associated attack campaigns were revealed to the public in a report by HP. According to the findings of the researchers, the threat tracked as SCVReady uses an unusual technique when it is loaded onto the victim's device. It should be noted that although the threat cannot be conclusively attributed to a specific APT group, there are certain links between the attack campaign and previous threatening operations carried out by the TA551 (Shatack) group.
SVCReady is distributed inside poisoned Word files attached to lure emails. The corrupted files still use VBA macros to execute shellcode, which in turn delivers the payload from a remote location. However, in the case of SVCReady, the VBA macros and the shellcode are split apart, with the attackers hiding the compromised shellcode inside the file properties. Once the threat has been deployed to the system, it will first perform initial information gathering via Registry queries and Windows API calls. The acquired data will then be transmitted to a Command-and-Control (C2, C&C) server. Communication between the later versions of the threat and its C2 server is RC4 encrypted.
The loader also will try to ascertain whether it is being run inside a virtualized environment by making two WMI queries. Depending on the results, SVCReady could enter a 30-minute sleep. As for its persistence mechanism, the threat will create a scheduled task and a new Registry key on the breached system. However, the implementation of this feature is currently flawed and leads to errors that prevent the malware from launching after a reboot. This functionality could be fixed in one of the next versions, as HP's researchers note that SVCReady is still under active development. The threat actors can instruct the malware to take arbitrary screenshots, run shell commands, run a chosen file or fetch additional threatening payloads.