Cybersecurity Threat: Surveillance Tool MerkSpy Exploits Microsoft MSHTML Vulnerability
Recent reports from Fortinet’s FortiGuard Labs indicate the emergence of a sophisticated surveillance tool known as MerkSpy, which is being used by unidentified threat actors to compromise systems through a now-patched vulnerability in Microsoft’s MSHTML. This malicious campaign is primarily targeting users in Canada, India, Poland, and the United States.
MerkSpy is engineered to operate stealthily, enabling it to discreetly monitor user activities and collect sensitive data from infected machines. According to cybersecurity researcher Cara Lin, the infiltration process begins with an unsuspecting Microsoft Word document that pretends to contain a job listing for a software engineering position. When the document is opened, it exploits CVE-2021-40444, a high-severity vulnerability that allows remote code execution without user interaction.
With this exploitation, the attack triggers the download of an HTML file named "olerender.html" from a remote server. This malicious file initiates the execution of embedded shellcode by first verifying the operating system version. As explained by Lin, the "olerender.html" file utilizes the ‘VirtualProtect’ function to change memory permissions, ensuring that the decoded shellcode can be safely written into memory.
Upon successful execution of the shellcode, the attack transitions into a downloading phase, where a file misleadingly labeled "GoogleUpdate" is retrieved. However, this file conceals an injector payload aimed at evading security software and implanting MerkSpy into the host system’s memory. Following this, the spyware modifies the Windows Registry to ensure it runs automatically upon system startup, ensuring persistence on the compromised device.
MerkSpy possesses capabilities to silently capture a wide array of sensitive user information, including screenshots, keystrokes, and login credentials from applications like Google Chrome and the MetaMask browser extension. The exfiltrated data is sent to an external server controlled by the threat actors, specifically to the URL "45.89.53[.]46/google/update[.]php."
This development comes at a time when another significant threat is being reported—Symantec has identified a smishing campaign targeting U.S. users. The malicious SMS messages impersonate Apple and attempt to lure recipients into providing credentials at fake login sites. Broadcom, which owns Symantec, highlights the risks associated with these phishing attempts, noting that the fraudulent sites are designed to appear legitimate by incorporating a CAPTCHA, which is completed before redirecting users to deceptive iCloud login pages.
In terms of adversary tactics as outlined by the MITRE ATT&CK framework, this incident encompasses elements of Initial Access through social engineering methods, Persistence via modification of registry settings, and Data Exfiltration to external servers controlled by the attackers. The situation underscores the importance of cybersecurity vigilance among businesses, especially in the face of evolving threats that exploit social engineering and technical vulnerabilities.
As the landscape of cyber threats continues to evolve, business owners must remain aware of such risks and ensure robust defenses against sophisticated attack vectors to protect their operations and sensitive data.
