1. Home
  2. Software
  3. SVCReady

SVCReady

SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between TA551 activity and SVCReady distribution, including similarities in file names, lure images, and identical grammatical errors.[1]

ID: S1064
Type: MALWARE
Platforms: Windows
Contributors: Manikantan Srinivasan, NEC Corporation India; Akiko To, NEC Corporation; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 10 February 2023
Last Modified: 18 April 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

SVCReady can use WMI queries to detect the presence of a virtual machine environment.[1]

Enterprise T1546 .015 事件触发执行: Component Object Model Hijacking

SVCReady has created the HKEY_CURRENT_USER\Software\Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19} Registry key for persistence.[1]
Enterprise T1005 从本地系统获取数据

SVCReady can collect data from an infected host.[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

SVCReady has named a task RecoveryExTask as part of its persistence activity.[1]
Enterprise T1059 .005 命令与脚本解释器: Visual Basic

SVCReady has used VBA macros to execute shellcode.[1]
Enterprise T1120 外围设备发现

SVCReady can check for the number of devices plugged into an infected host.[1]
Enterprise T1113 屏幕捕获

SVCReady can take a screenshot from an infected host.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

SVCReady can communicate with its C2 servers via HTTP.[1]
Enterprise T1106 本机API

SVCReady can use Windows API calls to gather information from an infected host.[1]
Enterprise T1012 查询注册表

SVCReady can search for the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System Registry key to gather system information.[1]
Enterprise T1027 混淆文件或信息

SVCReady can encrypt victim data with an RC4 cipher.[1]
Enterprise T1204 .002 用户执行: Malicious File

SVCReady has relied on users clicking a malicious attachment delivered through spearphishing.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

SVCReady has used rundll32.exe for execution.[1]
Enterprise T1082 系统信息发现

SVCReady has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of systeminfo.exe.[1]
Enterprise T1033 系统所有者/用户发现

SVCReady can collect the username from an infected host.[1]
Enterprise T1124 系统时间发现

SVCReady can collect time zone information.[1]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

SVCReady has the ability to determine if its runtime environment is virtualized.[1]
.003 虚拟化/沙盒规避: Time Based Evasion

SVCReady can enter a sleep stage for 30 minutes to evade detection.[1]
Enterprise T1518 软件发现

SVCReady can collect a list of installed software from an infected host.[1]
Enterprise T1105 输入工具传输

SVCReady has the ability to download additional tools such as the RedLine Stealer to an infected host.[1]
Enterprise T1057 进程发现

SVCReady can collect a list of running processes from an infected host.[1]
Enterprise T1041 通过C2信道渗出

SVCReady can send collected data in JSON format to its C2 server.[1]

Enterprise T1566 .001 钓鱼: Spearphishing Attachment

SVCReady has been distributed via spearphishing campaigns containing malicious Mircrosoft Word documents.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

SVCReady can create a scheduled task named RecoveryExTask to gain persistence.[1]

References

  1. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.