Headline
Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool
Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S. “MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems,” Fortinet FortiGuard
Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S.
“MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems,” Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week.
The starting point of the attack chain is a Microsoft Word document that ostensibly contains a job description for a software engineer role.
But opening the file triggers the exploitation of CVE-2021-40444, a high-severity flaw in MSHTML that could result in remote code execution without requiring any user interaction. It was addressed by Microsoft as part of Patch Tuesday updates released in September 2021.
In this case, it paves the way for the download of an HTML file (“olerender.html”) from a remote server that, in turn, initiates the execution of an embedded shellcode after checking the operating system version.
“Olerender.html” takes advantage of “’VirtualProtect’ to modify memory permissions, allowing the decoded shellcode to be written into memory securely,” Lin explained.
“Following this, ‘CreateThread’ executes the injected shellcode, setting the stage for downloading and executing the next payload from the attacker’s server. This process ensures that the malicious code runs seamlessly, facilitating further exploitation.”
The shellcode serves as a downloader for a file that’s deceptively titled “GoogleUpdate” but, in reality, harbors an injector payload responsible for evading detection by security software and loading MerkSpy into memory.
The spyware establishes persistence on the host through Windows Registry changes such that it’s launched automatically upon system startup. It also comes with capabilities to clandestinely capture sensitive information, monitor user activities, and exfiltrate data to external servers under the threat actors’ control.
This includes screenshots, keystrokes, login credentials stored in Google Chrome, and data from the MetaMask browser extension. All this information is transmitted to the URL “45.89.53[.]46/google/update[.]php.”
The development comes as Symantec detailed a smishing campaign targeting users in the U.S. with sketchy SMS messages that purport to be from Apple and aim to trick them into clicking on bogus credential harvesting pages (“signin.authen-connexion[.]info/icloud”) in order to continue using the services.
“The malicious website is accessible from both desktop and mobile browsers,” the Broadcom-owned company said. “To add a layer of perceived legitimacy, they have implemented a CAPTCHA that users must complete. After this, users are directed to a webpage that mimics an outdated iCloud login template.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. "LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from
By Waqas LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data. This is a post from HackRead.com Read the original post: New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs
The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.
Hello everyone! In this episode, I want to talk about the Positive Hack Days 11 conference, which took place on May 18 and 19 in Moscow. As usual, I want to express my personal opinion about this event. Alternative video link (for Russia): https://vk.com/video-149273431_456239091 As I did last year, I want to start talking about this […]
Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.
Proof of concept for the remote code execution vulnerability in MSDT known as Follina.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Microsoft MSHTML Remote Code Execution Vulnerability