Your Word documents may be hiding a whole new family of malware

The new SVCReady malware is activated by opening a simple Word document and can download other malware onto your computer or even steal information about your configuration.

Security researchers at HP Wolf Security have just discovered a new malware family (malware) that can steal information. Dubbed SVCReady, this threat hides in a Word document that hackers send to their victims as part of a spam campaign.

Nothing new so far. But SVCReady has a little twist that makes its whole flavor. This malware does not use PowerShell or MSHTA commands to download the payload (payload). Opening the Word file is enough and triggers the execution of a VBA macro command that loads a program hidden in the document properties pane into memory.

© HP Wolf Security

The code then starts executing a DLL library using the Windows program rundll32.exe. It is this DLL library that does the download work by communicating with the pirates’ servers. It goes even further by collecting information such as the user’s name, time zone and possible domain membership. By querying the registry, the program also collects data on the bios, computer manufacturer, running processes and installed programs. It can also take a screenshot and know the number of connected USB devices. After that, it tries again to collect system information using the systeminfo.exe process. The malware also attempts to detect whether it is running in a virtual machine. Then it falls asleep for 30 minutes.

Associated with ReLine Stealer malware

Upon detection on April 26, researchers’ analysis of the code revealed that SVCReady was downloading the RedLine Stealer program. This malware is designed to steal passwords, payment information, and browsing data.

The program has evolved since its discovery in late April, according to researchers at HP Wolf Security. The data exchanged with the hackers’ servers is now encrypted, which was not the case at first. However, the malware has programming errors that cause, for example, execution to be interrupted when the computer is restarted. In addition, the program creates a specific key in the registry, which allows for easy detection.

However, researchers say the malware is evolving and could become a bigger threat. In addition, it shares similarities with the program used by cyber criminal group TA551. This group used a bug in the Microsoft Exchange server to steal usernames and passwords, break into email inboxes, and reply to emails by redirecting to a banking Trojan. We must therefore remain very vigilant.

Source :


Leave a Comment