Home Security Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

by


Jul 03, 2024NewsroomSpyware / Vulnerability

Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S.

“MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems,” Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week.

The starting point of the attack chain is a Microsoft Word document that ostensibly contains a job description for a software engineer role.

Cybersecurity

But opening the file triggers the exploitation of CVE-2021-40444, a high-severity flaw in MSHTML that could result in remote code execution without requiring any user interaction. It was addressed by Microsoft as part of Patch Tuesday updates released in September 2021.

In this case, it paves the way for the download of an HTML file (“olerender.html”) from a remote server that, in turn, initiates the execution of an embedded shellcode after checking the operating system version.

“Olerender.html” takes advantage of “‘VirtualProtect’ to modify memory permissions, allowing the decoded shellcode to be written into memory securely,” Lin explained.

“Following this, ‘CreateThread’ executes the injected shellcode, setting the stage for downloading and executing the next payload from the attacker’s server. This process ensures that the malicious code runs seamlessly, facilitating further exploitation.”

The shellcode serves as a downloader for a file that’s deceptively titled “GoogleUpdate” but, in reality, harbors an injector payload responsible for evading detection by security software and loading MerkSpy into memory.

The spyware establishes persistence on the host through Windows Registry changes such that it’s launched automatically upon system startup. It also comes with capabilities to clandestinely capture sensitive information, monitor user activities, and exfiltrate data to external servers under the threat actors’ control.

Cybersecurity

This includes screenshots, keystrokes, login credentials stored in Google Chrome, and data from the MetaMask browser extension. All this information is transmitted to the URL “45.89.53[.]46/google/update[.]php.”

The development comes as Symantec detailed a smishing campaign targeting users in the U.S. with sketchy SMS messages that purport to be from Apple and aim to trick them into clicking on bogus credential harvesting pages (“signin.authen-connexion[.]info/icloud”) in order to continue using the services.

“The malicious website is accessible from both desktop and mobile browsers,” the Broadcom-owned company said. “To add a layer of perceived legitimacy, they have implemented a CAPTCHA that users must complete. After this, users are directed to a webpage that mimics an outdated iCloud login template.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex