Another dangerous malware strain is hijacking Microsoft Word documents in 2022
The malware, dubbed SVCReady, allows threat actors to exfiltrate system information such as device firmware and software installed on the endpoint, the report says. It is being deployed in unison with another virus, a relatively popular strain called RedLine Stealer. This one is used to steal things like passwords, stored payment data, browsing history, and the likes.
The threat actor deploys the malware through weaponized Microsoft Word documents, by using shellcode stored within the properties of the document. This is a deviation of a more standard practice in which threat actors would usually use PowerShell or MSHTA.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
While the strain is still in its infancy, and clearly a work in progress, it has great potential of becoming more than a nuisance, the researchers said.
Work in progress
The malware isn’t as potent as it can be. Still, with threat actors hard at work, there’s no room for complacency, argues Patrick Schläpfer, Malware Analyst at HP Wolf Security.
> This nasty malware weasels its way into your email threads
> Watch out for this dangerous new Microsoft Word scam, Office users warned
> A new Windows Search zero-day is giving Microsoft another security headache
“A few things in the malware are broken,” Schläpfer says. “SVCReady is clearly under development, and the malicious actors have been adding encryption to the network communication format in recent weeks. As the malware is refined there is potential for it to become a bigger problem in the future. We have seen a few similarities in file naming conventions and lure imagery which appear to be linked to those used by the financially motivated threat group TA551.”
Last we heard of TA551, the group was hijacking email threads to distribute malware loaders. Cybersecurity experts from Intezer found the group abusing known vulnerabilities in unpatched and compromised Microsoft Exchange servers to steal login credentials, moving into people’s inboxes, and replying on long email chains with the links to IcedID, a modular banking trojan.