Another dangerous malware strain is hijacking Microsoft Word documents

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Cybersecurity researchers from HP Wolf Security have discovered a new malware strain being distributed via weaponized Microsoft Word files.

The malware, dubbed SVCReady, allows threat actors to exfiltrate system information such as device firmware and software installed on the endpoint, the report says. It is being deployed in unison with another virus, a relatively popular strain called RedLine Stealer. This one is used to steal things like passwords, stored payment data, browsing history, and the likes.

The threat actor deploys the malware through weaponized Microsoft Word documents, by using shellcode stored within the properties of the document. This is a deviation of a more standard practice in which threat actors would usually use PowerShell or MSHTA.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

While the strain is still in its infancy, and clearly a work in progress, it has great potential of becoming more than a nuisance, the researchers said.

Work in progress

The malware isn’t as potent as it can be. Still, with threat actors hard at work, there’s no room for complacency, argues Patrick Schläpfer, Malware Analyst at HP Wolf Security. 

“A few things in the malware are broken,” Schläpfer says. “SVCReady is clearly under development, and the malicious actors have been adding encryption to the network communication format in recent weeks. As the malware is refined there is potential for it to become a bigger problem in the future. We have seen a few similarities in file naming conventions and lure imagery which appear to be linked to those used by the financially motivated threat group TA551.”

Last we heard of TA551, the group was hijacking email threads to distribute malware loaders. Cybersecurity experts from Intezer found the group abusing known vulnerabilities in unpatched and compromised Microsoft Exchange servers to steal login credentials, moving into people’s inboxes, and replying on long email chains with the links to IcedID, a modular banking trojan.

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.