Cybersecurity researchers from HP Wolf Security have discovered a new malware strain being distributed via weaponized Microsoft Word files.
The malware, dubbed SVCReady, allows threat actors to exfiltrate system information such as device firmware and software installed on the endpoint, the report says. It is being deployed in unison with another virus, a relatively popular strain called RedLine Stealer. This one is used to steal things like passwords, stored payment data, browsing history, and the likes.
The threat actor deploys the malware through weaponized Microsoft Word documents, by using shellcode stored within the properties of the document. This is a deviation of a more standard practice in which threat actors would usually use PowerShell or MSHTA.
While the strain is still in its infancy, and clearly a work in progress, it has great potential of becoming more than a nuisance, the researchers said.
Work in progress
The malware isn’t as potent as it can be. Still, with threat actors hard at work, there’s no room for complacency, argues Patrick Schläpfer, Malware Analyst at HP Wolf Security.
“A few things in the malware are broken,” Schläpfer says. “SVCReady is clearly under development, and the malicious actors have been adding encryption to the network communication format in recent weeks. As the malware is refined there is potential for it to become a bigger problem in the future. We have seen a few similarities in file naming conventions and lure imagery which appear to be linked to those used by the financially motivated threat group TA551.”
Last we heard of TA551, the group was hijacking email threads to distribute malware loaders. Cybersecurity experts from Intezer found the group abusing known vulnerabilities in unpatched and compromised Microsoft Exchange servers to steal login credentials, moving into people’s inboxes, and replying on long email chains with the links to IcedID, a modular banking trojan.
