Unknown threat actors have been seen exploiting a patched security issue in Microsoft MSHTML to distribute a surveillance tool known as MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S.
“MerkSpy is created to secretly monitor user activities, gather sensitive information, and maintain persistence on compromised systems,” Fortinet FortiGuard Labs researcher Cara Lin stated in a report published recently.
The attack begins with a Microsoft Word document that appears to contain a job description for a software engineer position.
However, opening the file triggers the exploitation of CVE-2021-40444, a critical flaw in MSHTML that could lead to remote code execution without user interaction. This flaw was fixed by Microsoft in the September 2021 Patch Tuesday updates.
In this scenario, it allows the download of an HTML file (“olerender.html”) from a remote server, which then executes an embedded shellcode after checking the OS version.
“Olerender.html” utilizes “‘VirtualProtect’ to change memory permissions, enabling the shellcode to be written into memory securely,” explained Lin.
“Following this, ‘CreateThread’ runs the injected shellcode, preparing for downloading and executing the next payload from the attacker’s server. This ensures that the malicious code runs smoothly, enabling further exploitation.”
The shellcode functions as a downloader for a file named “GoogleUpdate,” which actually contains an injector payload to avoid detection by security tools and load MerkSpy into memory.
The spyware establishes persistence on the system by making changes to the Windows Registry to launch automatically at system startup. It is also able to secretly capture sensitive information, monitor user activities, and send data to external servers controlled by the threat actors.
This includes screenshots, keystrokes, login credentials saved in Google Chrome, and data from the MetaMask browser extension. All this data is sent to the URL “45.89.53[.]46/google/update[.]php.”
Symantec recently described a smishing campaign targeting U.S. users with suspicious SMS messages claiming to be from Apple, aiming to deceive them into clicking on fake credential harvesting pages (“signin.authen-connexion[.]info/icloud”) to continue using services.
“The malicious website is accessible from both desktop and mobile browsers,” the Broadcom-owned company mentioned. “To add a layer of perceived legitimacy, they have implemented a CAPTCHA that users must complete. After this, users are directed to a webpage that mimics an outdated iCloud login template.”
