Exploit in Microsoft MSHTML Used to Distribute MerkSpy Surveillance Tool
Unidentified malicious actors have exploited a resolved security issue in Microsoft MSHTML to deploy a spying utility known as MerkSpy in a targeted campaign focusing primarily on individuals in Canada, India, Poland, and the United States.
A report released last week by Fortinet FortiGuard Labs researcher Cara Lin highlighted that “MerkSpy has been constructed to secretly monitor user actions, gather confidential data, and establish persistence on compromised machines.”
The assault starts with a Microsoft Word document purportedly featuring a job description for a software developer position.
However, opening the file triggers the exploitation of CVE-2021-40444, a critical vulnerability in MSHTML that has the potential to execute remote code without any user interaction. Microsoft addressed this in the updates that were part of the Patch Tuesday release in September 2021.
In this instance, it facilitates the retrieval of an HTML file (“olerender.html”) from a distant server, which subsequently triggers the execution of an embedded shellcode post validation of the operating system version.
“Olerender.html” employs “‘VirtualProtect’ for adjusting memory permissions, allowing for secure writing of the decoded shellcode into memory,” as elucidated by Lin.
Subsequent to this process, ‘CreateThread’ runs the injected shellcode, laying the groundwork for the downloading and execution of the subsequent payload from the adversaries’ server. This sequence ensures smooth operation of the malicious code, simplifying further exploitation.
The shellcode functions as a downloader for a file camouflaged as “GoogleUpdate,” but in reality, harbors an injector payload designed to dodge detection by security software and introduce MerkSpy into memory.
The spyware gains a firm foothold on the system by altering Windows Registry settings, ensuring that it launches automatically upon system boot. It possesses the capability to covertly gather sensitive information, monitor user activities, and transfer data to external servers controlled by the attackers.
This includes capturing screenshots, keystrokes, login credentials saved in Google Chrome, and information from the MetaMask browser extension. All these details are sent to the URL “45.89.53[.]46/google/update[.]php.”
Meanwhile, Symantec has highlighted a smishing campaign aimed at individuals in the U.S., leveraging dubious SMS messages purporting to be from Apple and urging recipients to click on fraudulent credential-harvesting pages (“signin.authen-connexion[.]info/icloud”) to maintain service access.
“The malicious website can be accessed from both desktop and mobile browsers,” stated the firm owned by Broadcom. “To enhance credibility, they have integrated a CAPTCHA for users to solve. Subsequently, users are directed to a webpage mimicking an outdated iCloud login template.”
About Author
