Microsoft MSHTML Flaw Exploited to Distribute MerkSpy Spyware Tool
Unidentified threat actors have exploited a recently patched security vulnerability in Microsoft MSHTML to disseminate a surveillance tool known as MerkSpy in a campaign mainly targeting users in Canada, India, Poland, and the U.S.
As per a report published last week by Fortinet FortiGuard Labs researcher Cara Lin, “MerkSpy is crafted to covertly monitor user activities, capture sensitive data, and establish persistence on compromised systems.”
The initial step in the attack sequence involves a Microsoft Word document supposedly containing a job description for a software engineer position.
However, opening this file triggers the exploitation of CVE-2021-40444, a critical flaw in MSHTML that could lead to remote code execution without any user interaction. Microsoft resolved this issue in the Patch Tuesday updates released in September 2021.
In this scenario, it enables the retrieval of an HTML file (“olerender.html”) from a distant server, which then initiates the execution of an embedded shellcode after verifying the OS version.
“Olerender.html” utilizes “‘VirtualProtect’ to adjust memory permissions, enabling the secure writing of the decoded shellcode into memory,” as explained by Lin.
“Subsequently, ‘CreateThread’ triggers the injected shellcode, laying the groundwork for downloading and executing the next payload from the malicious server. This ensures seamless operation of the malicious code, facilitating further exploitation.”
The shellcode acts as a downloader for a file labeled “GoogleUpdate,” concealing an injector payload designed to evade detection by security tools and load MerkSpy into memory.
The spyware establishes persistence on the device through modifications to the Windows Registry, ensuring automatic launch upon system boot. It is also equipped to discreetly capture sensitive data, monitor user actions, and send gathered information to external servers controlled by the threat actors.
This data includes screenshots, keystrokes, login details stored in Google Chrome, and information from the MetaMask browser extension, all transmitted to the URL “45.89.53[.]46/google/update[.]php.”
These developments coincide with Symantec disclosing a smishing scheme targeting U.S. users with dubious SMS messages claiming to be from Apple. These messages aim to deceive recipients into clicking on counterfeit credential collection pages (“signin.authen-connexion[.]info/icloud”) to continue utilizing Apple services.
“The malicious site is accessible through both desktop and mobile browsers,” as mentioned by the Broadcom-owned entity in a statement. “To add an illusion of authenticity, they have integrated a CAPTCHA that users must complete. Subsequently, users are redirected to a page mimicking a dated iCloud login template.”
About Author
