The first sighting of SVCReady in the wild took place in late April 2022. The malware was spread via malicious MS Word document files loaded with macros that run upon opening. However, unlike most macro-based malware, SVCReady does not use MSHTA or PowerShell commands to obtain its payload from the Internet. This instead uses a very clever trick which is to execute the shell code found in the property fields of the file.
As for the malware itself, it is capable of collecting system information such as username, computer name, time zone, and whether the machine is joined to a domain. It also queries the registry, specifically the HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystem key, for details about the computer’s manufacturer, BIOS, and firmware. Other details that SVCReady collects include lists of running processes and installed software. Information collection is done through Windows API calls rather than Windows Management Instrumentation queries. All collected details are formatted as JSON and sent to the C2 server via an HTTP POST request.
SVCReady places a DLL file in the temporary folder. After that, the malware copies the legitimate system rundll32 file to the same directory and renames it. The named copy of rundll32 is then used to execute the malicious DLL file.
The malware appears to be in active development as it has been updated several times since the end of April and appears to have the hallmarks of a persistence mechanism, but it is buggy and does not actually achieve persistence in the current state but that is not to say that it does not becoming a threat as we can see, this is just at an early stage.
