Unknown threat actors have exploited a now-patched security flaw in Microsoft MSHTML to deliver the MerkSpy surveillance tool, primarily targeting users in Canada, India, Poland, and the U.S.
“MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems,” said Fortinet FortiGuard Labs researcher Cara Lin in a report published last week.
The attack begins with a Microsoft Word document that appears to be a job description for a software engineer. Opening the file exploits CVE-2021-40444, a high-severity flaw in MSHTML, enabling remote code execution without user interaction. Microsoft addressed this flaw in their September 2021 Patch Tuesday updates.
This exploit downloads an HTML file (“olerender.html”) from a remote server, which then executes embedded shellcode after checking the operating system version. The shellcode, using VirtualProtect, modifies memory permissions to securely write the decoded shellcode into memory, followed by CreateThread executing the shellcode to download and run the next payload from the attacker’s server.
Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool: Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign… https://t.co/27KWZ8VNc6 DeepBlue Security pic.twitter.com/zPNDxBfZ3k
— DeepBlue Security & Intelligence (@DeepBlueInfoSec) July 3, 2024
The downloaded file, deceptively named “GoogleUpdate,” contains an injector payload that evades security software and loads MerkSpy into memory. MerkSpy establishes persistence on the host through Windows Registry changes, ensuring it launches automatically on startup. It captures sensitive information, monitors user activities, and exfiltrates data to external servers.
Captured data includes screenshots, keystrokes, login credentials from Google Chrome, and data from the MetaMask browser extension, all transmitted to the URL “45.89.53[.]46/google/update[.]php.”
The development follows Symantec’s report of a smishing campaign targeting U.S. users with fraudulent SMS messages from “Apple,” leading to credential harvesting pages.
Maintaining updated security patches and practicing caution with email attachments are critical in mitigating such threats.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.