Cybersecurity experts have identified a sophisticated campaign targeting users in Canada, India, Poland, and the United States, where attackers are exploiting a previously addressed flaw in Microsoft’s MSHTML engine to deliver a surveillance tool known as MerkSpy.
The Intricacies of the Attack
The initial phase of the security breach involves a seemingly innocuous Microsoft Word document, which purports to offer a job description for a software engineer. However, opening this document activates the exploitation of CVE-2021-40444, a critical vulnerability in MSHTML that permits remote code execution with no need for user interaction.
Microsoft has resolved this issue in their Patch Tuesday updates back in September 2021. “MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems,” said Cara Lin, a researcher at Fortinet FortiGuard Labs.
The document triggers the download of an HTML file named “olerender.html” from a remote server, which then facilitates the execution of the embedded ““sc_x64” shell code. After determining the OS version and extracting the right shellcode, “olerender.html” identifies and uses the Windows APIs “VirtualProtect” and “CreateThread.”
Retrieving Windows APIs (Source: Fortinet)
The role of “VirtualProtect” is to adjust memory permissions, ensuring the secure insertion of the decoded shellcode into memory. Then, “CreateThread” is used to execute the shellcode, paving the way for the subsequent download and execution of the next payload from the attacker’s server.
How MerkSpy Operates
The shellcode functions primarily as a downloader for a deceptively named file, “GoogleUpdate.” In reality, this file contains an injector payload designed to dodge detection by antivirus software and to load MerkSpy directly into the system’s memory.
Downloaded “GoogleUpdate” file (Source: Fortinet)
The MerkSpy spyware tool operates discreetly within infected systems, capturing sensitive information, monitoring user activities, and sending data to remote servers operated by threat actors.
Once activated, MerkSpy modifies the Windows Registry to ensure it launches automatically each time the computer starts. It secretly captures screenshots, records keystrokes, and gathers login credentials stored in Google Chrome, as well as data from the MetaMask browser extension. This sensitive data is then sent to the hacker’s server.
Final Word
To defend against such threats, users should ensure their systems are updated with the latest security patches and be cautious of opening unsolicited documents. Staying vigilant and informed is crucial to protecting personal and organizational data from sophisticated cyber threats like MerkSpy.