Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. SVCReady

SVCReady

SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps betweenTA551 activity andSVCReady distribution, including similarities in file names, lure images, and identical grammatical errors.[1]

ID: S1064
Type: MALWARE
Platforms: Windows
Contributors: Manikantan Srinivasan, NEC Corporation India; Akiko To, NEC Corporation; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 10 February 2023
Last Modified: 16 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1071.001Application Layer Protocol:Web Protocols

SVCReady can communicate with its C2 servers via HTTP.[1]

EnterpriseT1059.005Command and Scripting Interpreter:Visual Basic

SVCReady has used VBA macros to execute shellcode.[1]

EnterpriseT1005Data from Local System

SVCReady can collect data from an infected host.[1]

EnterpriseT1546.015Event Triggered Execution:Component Object Model Hijacking

SVCReady has created theHKEY_CURRENT_USER\Software\Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19} Registry key for persistence.[1]

EnterpriseT1041Exfiltration Over C2 Channel

SVCReady can send collected data in JSON format to its C2 server.[1]

EnterpriseT1105Ingress Tool Transfer

SVCReady has the ability to download additional tools such as the RedLine Stealer to an infected host.[1]

EnterpriseT1036.004Masquerading:Masquerade Task or Service

SVCReady has named a taskRecoveryExTask as part of its persistence activity.[1]

EnterpriseT1106Native API

SVCReady can use Windows API calls to gather information from an infected host.[1]

EnterpriseT1027Obfuscated Files or Information

SVCReady can encrypt victim data with an RC4 cipher.[1]

EnterpriseT1120Peripheral Device Discovery

SVCReady can check for the number of devices plugged into an infected host.[1]

EnterpriseT1566.001Phishing:Spearphishing Attachment

SVCReady has been distributed via spearphishing campaigns containing malicious Mircrosoft Word documents.[1]

EnterpriseT1057Process Discovery

SVCReady can collect a list of running processes from an infected host.[1]

EnterpriseT1012Query Registry

SVCReady can search for theHKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System Registry key to gather system information.[1]

EnterpriseT1053.005Scheduled Task/Job:Scheduled Task

SVCReady can create a scheduled task namedRecoveryExTask to gain persistence.[1]

EnterpriseT1113Screen Capture

SVCReady can take a screenshot from an infected host.[1]

EnterpriseT1518Software Discovery

SVCReady can collect a list of installed software from an infected host.[1]

EnterpriseT1218.011System Binary Proxy Execution:Rundll32

SVCReady has usedrundll32.exe for execution.[1]

EnterpriseT1082System Information Discovery

SVCReady has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use ofsysteminfo.exe.[1]

EnterpriseT1033System Owner/User Discovery

SVCReady can collect the username from an infected host.[1]

EnterpriseT1124System Time Discovery

SVCReady can collect time zone information.[1]

EnterpriseT1204.002User Execution:Malicious File

SVCReady has relied on users clicking a malicious attachment delivered through spearphishing.[1]

EnterpriseT1497.001Virtualization/Sandbox Evasion:System Checks

SVCReady has the ability to determine if its runtime environment is virtualized.[1]

.003Virtualization/Sandbox Evasion:Time Based Checks

SVCReady can enter a sleep stage for 30 minutes to evade detection.[1]

EnterpriseT1047Windows Management Instrumentation

SVCReady can useWMI queries to detect the presence of a virtual machine environment.[1]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp