EXECUTIVE SUMMARY
SvcStealer is a newly identified information-stealing malware delivered through spear-phishing email attachments. It is designed to collect a wide range of sensitive information, including system details, installed software, user credentials, cryptocurrency wallets, and messaging application data. Once inside a system, it sends the stolen data to a command-and-control server controlled by the attacker. The malware can also download and run additional harmful files from the server, increasing the risk of further damage. The stolen information may be sold on underground forums or used for other harmful activities. Given its ability to target financial data and communication tools, SvcStealer poses a serious risk to both individuals and organizations.
This malware is written in Microsoft Visual C++ and follows a structured process for infection and data collection. It generates a unique identifier using the system’s volume serial number and creates a hidden folder to store stolen data. To avoid detection, it stops system monitoring tools such as Task Manager and Process Hacker. It then collects information from cryptocurrency wallets, messaging applications, FTP clients, and web browsers, including credentials, credit card details, and system logs. Once the data is gathered, it is compressed into a ZIP file and sent to the attacker's server using HTTP POST requests. If the connection fails, the malware continuously attempts to connect until it is successful, ensuring ongoing communication with the attacker's system.
After stealing the data, SvcStealer removes the ZIP file and stored information to cover its tracks. It stays active by regularly checking in with the attacker's server, waiting for further instructions. If directed, it downloads and runs additional harmful files from attacker-specified locations, further increasing the risk. The malware also has backup server addresses to maintain operations even if one connection is blocked. During the analysis, the attacker's servers were unreachable, but the malware remains active and capable of downloading more harmful files.
THREAT PROFILE:
| Tactics | Technique ID | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Defense Evasion | T1070 | Indicator Removal |
| Credential Access | T1555 | Credentials from Password Stores |
| Discovery | T1082 | System Information Discovery |
| Collection | T1113 | Screen Capture |
| T1005 | Data from Local System | |
| T1560 | Archive Collected Data | |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1490 | Inhibit System Recovery |
REFERENCES:
The following reports contain further technical details: