Skip to content

S1064 SVCReady

SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between TA551 activity and SVCReady distribution, including similarities in file names, lure images, and identical grammatical errors.1

Item Value
ID S1064
Associated Names
Version 1.0
Created 10 February 2023
Last Modified 18 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SVCReady can communicate with its C2 servers via HTTP.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic SVCReady has used VBA macros to execute shellcode.1
enterprise T1005 Data from Local System SVCReady can collect data from an infected host.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.015 Component Object Model Hijacking SVCReady has created the HKEY_CURRENT_USER\Software\Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19} Registry key for persistence.1
enterprise T1041 Exfiltration Over C2 Channel SVCReady can send collected data in JSON format to its C2 server.1
enterprise T1105 Ingress Tool Transfer SVCReady has the ability to download additional tools such as the RedLine Stealer to an infected host.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service SVCReady has named a task RecoveryExTask as part of its persistence activity.1
enterprise T1106 Native API SVCReady can use Windows API calls to gather information from an infected host.1
enterprise T1027 Obfuscated Files or Information SVCReady can encrypt victim data with an RC4 cipher.1
enterprise T1120 Peripheral Device Discovery SVCReady can check for the number of devices plugged into an infected host.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment SVCReady has been distributed via spearphishing campaigns containing malicious Mircrosoft Word documents.1
enterprise T1057 Process Discovery SVCReady can collect a list of running processes from an infected host.1
enterprise T1012 Query Registry SVCReady can search for the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System Registry key to gather system information.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task SVCReady can create a scheduled task named RecoveryExTask to gain persistence.1
enterprise T1113 Screen Capture SVCReady can take a screenshot from an infected host.1
enterprise T1518 Software Discovery SVCReady can collect a list of installed software from an infected host.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 SVCReady has used rundll32.exe for execution.1
enterprise T1082 System Information Discovery SVCReady has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of systeminfo.exe.1
enterprise T1033 System Owner/User Discovery SVCReady can collect the username from an infected host.1
enterprise T1124 System Time Discovery SVCReady can collect time zone information.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File SVCReady has relied on users clicking a malicious attachment delivered through spearphishing.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks SVCReady has the ability to determine if its runtime environment is virtualized.1
enterprise T1497.003 Time Based Evasion SVCReady can enter a sleep stage for 30 minutes to evade detection.1
enterprise T1047 Windows Management Instrumentation SVCReady can use WMI queries to detect the presence of a virtual machine environment.1