New malware known as SVCReady uses shellcode in the properties of Microsoft Office documents to infect its target. This is yet another new form of attack that affects Microsoft Office, disguising malicious code in a seemingly safe Office document format. The SVCReady family of malware has been reported by the HP threat research blog as being updated several times already during May 2022, showing that this attack is still in its development phase.  

SVCReady is delivered by email attachments of Microsoft Word documents, which contain Visual Basic for Applications (VBA) AutoOpen macros. This is a common strategy used in other malware attacks to cause the malicious code to run on the target’s device. However, unlike other Office-based attacks, the SVCReady malware doesn’t require the use of PowerShell or MSHTA to access the internet and download malicious software. Instead, it utilises the VBA macro to run shellcode that is contained within the properties of the document, encoded as a series of 0x90 no-operation (NOP) instructions, which trigger the running of the SVCReady malware.  This creates a dynamic link library (DLL) in the %TEMP% directory, and then the shellcode copies rundll32.exe into the same location, which is then renamed to avoid detection. 

Once the malware is installed, it collects a large amount of information from its target, including not only the computer name, username, and time zone, but also details about the running processes, installed software, the manufacturer of the computer, BIOS and firmware. All of this is achieved using Windows API functions, and is then formatted as JSON, and delivered to a command and control (C2) server using an HTTP POST request. The research from HP lists several Indicators of Compromise which can be used to identify the malware on your systems. 

SVCReady is a versatile piece of malware, whose abilities include:  

• Download a file to the infected client 
• Take a screenshot 
• Run a shell command 
• Check if it is running in a virtual machine 
• Collect system information  
• Check the USB status and the number of devices plugged-in 
• Establish persistence through a scheduled task 
• Run a file 

SVCReady has also been known to fetch additional payloads, such as a Readline stealer payload that was observed in one case to have been dropped on the infected host.  

SVCReady requires a VBA macro to launch and, assuming you have macros disabled by default for Office documents, relies on social engineering to trick the user into enabling macros by displaying a professional looking lure image claiming the file in question was created using an older version of MS Office and needs ‘converting’ in order to be opened.  The user is then directed to enable editing and content on the Office task bar which will allow the macro to launch. 

In situations like this, Security Awareness Training for your end users is an important defence, helping them spot and avoid social engineering tricks like this and preventing the malicious payload from being activated.