New SVCReady malware loads from Word doc properties


Level 37
Thread author
Top poster
Feb 4, 2016
A previously unknown malware loader named SVCReady has been discovered in phishing attacks, featuring an unusual way of loading the malware from Word documents onto compromised machines.
More specifically, it uses VBA macro code to execute shellcode stored in the properties of a document that arrives on the target as an email attachment.

According to a new report by HP, the malware has been under deployment since April 2022, with the developers releasing several updates in May 2022. This indicates that it is currently
under heavy development, likely still at an early stage. However, it already supports information exfiltration, persistence, anti-analysis features, and encrypted C2 communications.

SVCReady starts with an email​

The infection chain begins with a phishing email carrying a malicious .doc attachment.
However, contrary to the standard practice of using PowerShell or MSHTA via malicious macros to download payloads from remote locations, this campaign uses VBA to run shellcode hiding in the file properties.

As shown below, this shellcode is stored in the properties of the Word document, which is extracted and executed by the macros.