Recently, unidentified threat actors have exploited a now-fixed security vulnerability in Microsoft MSHTML to disseminate a surveillance tool known as MerkSpy. This activity primarily targets users in Canada, India, Poland, and the United States.
Cara Lin, a researcher from Fortinet FortiGuard Labs, outlined in a recent report that MerkSpy is designed to covertly monitor user actions, collect sensitive data, and establish persistent access on compromised systems.
The attack starts with a Microsoft Word document supposedly containing a job description for a software engineering position. However, opening the document triggers the exploitation of CVE-2021-40444, a critical flaw in MSHTML that allows remote code execution without requiring user interaction. This vulnerability was addressed by Microsoft in their September 2021 Patch Tuesday updates.
Upon exploitation, an HTML file named “olerender.html” is downloaded from a remote server. This file initiates execution of an embedded shellcode after verifying the operating system version. According to Lin, “Olerender.html” utilizes the ‘VirtualProtect’ function to adjust memory permissions, ensuring secure writing of decoded shellcode into memory.
After this step, the injected shellcode is executed via ‘CreateThread’, preparing for the download and execution of the next payload from the attacker’s server. This ensures seamless operation of the malicious code, facilitating further exploitation of the system.
The shellcode acts as a downloader for a file disguised as “GoogleUpdate,” which actually contains an injector payload designed to evade detection by security software and load MerkSpy into memory.
MerkSpy ensures persistence on the compromised host by making changes to the Windows Registry, ensuring automatic launch upon system startup. It possesses capabilities to surreptitiously capture sensitive information, monitor user activities, and send data to external servers controlled by threat actors. This includes capturing screenshots, recording keystrokes, retrieving login credentials stored in Google Chrome, and accessing data from the MetaMask browser extension. All gathered information is transmitted to the URL “45.89.53[.]46/google/update[.]php.”
Symantec recently reported on a smishing campaign targeting U.S. users with fraudulent SMS messages claiming to be from Apple. These messages attempt to deceive recipients into clicking on fake credential harvesting pages (“signin.authen-connexion[.]info/icloud”) to maintain service access.
Broadcom, the parent company of Symantec, noted, “The malicious site is accessible via both desktop and mobile browsers.” To enhance credibility, the attackers have implemented a CAPTCHA mechanism that users must complete. Afterward, users are redirected to a webpage mimicking an outdated iCloud login template.