Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

In the world of cybersecurity, threat actors constantly adapt and find new ways to exploit vulnerabilities. Recently, unknown attackers have been exploiting a patched security flaw in Microsoft MSHTML to deliver a surveillance tool named MerkSpy. This campaign has primarily targeted users in Canada, India, Poland, and the U.S., highlighting the ongoing risks associated with software vulnerabilities.

Understanding the MSHTML Flaw (CVE-2021-40444)

The vulnerability at the heart of this campaign is CVE-2021-40444, a high-severity flaw in Microsoft's MSHTML component. This flaw allows for remote code execution without any user interaction, making it a potent tool for cybercriminals. Microsoft addressed this issue in its Patch Tuesday updates released in September 2021. Despite the patch, some systems remain vulnerable, either due to delayed updates or unpatched software.

Attack Chain Breakdown

The attack begins with a seemingly innocuous Microsoft Word document that purports to contain a job description for a software engineer role. However, opening this document triggers the exploitation of CVE-2021-40444, setting off a chain reaction that ultimately delivers the MerkSpy spyware.

Step-by-Step Breakdown:

  1. Initial Exploit:
    • The Word document, when opened, exploits the MSHTML flaw to execute remote code without user interaction.
  2. Download HTML File:
    • The exploitation leads to the download of an HTML file named "olerender.html" from a remote server.
  3. Shellcode Execution:
    • The HTML file checks the operating system version and uses 'VirtualProtect' to modify memory permissions, allowing decoded shellcode to be securely written into memory.
    • 'CreateThread' then executes the injected shellcode, setting the stage for downloading the next payload.
  4. Payload Delivery:
    • The shellcode downloads a file misleadingly titled "GoogleUpdate," which contains an injector payload.
    • This payload is designed to evade detection by security software and load MerkSpy into memory.

MerkSpy's Capabilities

Once MerkSpy is loaded onto the system, it establishes persistence by making changes to the Windows Registry, ensuring it runs automatically upon system startup. The spyware's capabilities include:

  • Clandestine Monitoring:
    • Captures screenshots and logs keystrokes.
    • Monitors user activities and exfiltrates data to external servers.
  • Data Exfiltration:
    • Steals login credentials stored in Google Chrome.
    • Extracts data from the MetaMask browser extension.
    • Transmits all collected information to a designated URL ("45.89.53[.]46/google/update[.]php").

Broader Implications and Related Threats

This exploitation of the MSHTML flaw is part of a broader trend of sophisticated cyber attacks leveraging social engineering and technical vulnerabilities.

Related Threats:

  • Smishing Campaigns:
    • Symantec detailed a campaign targeting U.S. users with fraudulent SMS messages claiming to be from Apple. These messages direct users to bogus credential harvesting pages, tricking them into divulging their login information.
  • Phishing Techniques:
    • Attackers employ CAPTCHA systems to add a layer of legitimacy to their malicious websites, which mimic outdated but familiar login templates to deceive users.

Protecting Against Such Threats

To protect against threats like MerkSpy and similar campaigns, it is crucial to follow these best practices:

  1. Regular Updates:
    • Ensure all software, including operating systems and applications, is regularly updated to the latest versions to patch known vulnerabilities.
  2. Educate Users:
    • Educate users about the dangers of opening unsolicited email attachments and downloading files from untrusted sources.
  3. Advanced Security Solutions:
    • Use advanced security solutions that can detect and block malicious activities, including behavioral analysis tools that identify unusual patterns.
  4. Regular Backups:
    • Maintain regular backups of important data to minimize damage in the event of an infection.
  5. Monitor for Indicators of Compromise (IoCs):
    • Continuously monitor systems for indicators of compromise, such as unusual network traffic or unauthorized changes to system configurations.

The exploitation of the MSHTML flaw to deliver MerkSpy spyware underscores the importance of staying vigilant and proactive in cybersecurity. By understanding the attack vectors and implementing robust security measures, individuals and organizations can better protect themselves against these evolving threats. For more insights and updates on cybersecurity, stay tuned to trusted sources and continuously enhance your security posture.