Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S.

“MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems,” Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week.

The starting point of the attack chain is a Microsoft Word document that ostensibly contains a job description for a software engineer role.

But opening the file triggers the exploitation of CVE-2021-40444, a high-severity flaw in MSHTML that could result in remote code execution without requiring any user interaction. It was addressed by Microsoft as part of Patch Tuesday updates released in September 2021.

In this case, it paves the way for the download of an HTML file (“olerender.html”) from a remote server that, in turn, initiates the execution of an embedded shellcode after checking the operating system version.

“Olerender.html” takes advantage of “‘VirtualProtect’ to modify memory permissions, allowing the decoded shellcode to be written into memory securely,” Lin explained.

“Following this, ‘CreateThread’ executes the injected shellcode, setting the stage for downloading and executing the next payload from the attacker’s server. This process ensures that the malicious code runs seamlessly, facilitating further exploitation.”

The shellcode serves as a downloader for a file that’s deceptively titled “GoogleUpdate” but, in reality, harbors an injector payload responsible for evading detection by security software and loading MerkSpy into memory.

The spyware establishes persistence on the host through Windows Registry changes such that it’s launched automatically upon system startup. It also comes with capabilities to clandestinely capture sensitive information, monitor user activities, and exfiltrate data to external servers under the threat actors’ control.

This includes screenshots, keystrokes, login credentials stored in Google Chrome, and data from the MetaMask browser extension. All this information is transmitted to the URL “45.89.53[.]46/google/update[.]php.”

The development comes as Symantec detailed a smishing campaign targeting users in the U.S. with sketchy SMS messages that purport to be from Apple and aim to trick them into clicking on bogus credential harvesting pages (“signin.authen-connexion[.]info/icloud”) in order to continue using the services.

“The malicious website is accessible from both desktop and mobile browsers,” the Broadcom-owned company said. “To add a layer of perceived legitimacy, they have implemented a CAPTCHA that users must complete. After this, users are directed to a webpage that mimics an outdated iCloud login template.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.