Unknown hackers have been exploiting a vulnerability in Microsoft Mshtml to distribute the spyware known as Merkspy, targeting users in Canada, India, Poland, and the USA. Despite the vulnerability being patched long ago, the attackers are still actively taking advantage of it to target unsuspecting systems.
According to Kara Lin, a researcher from Fortinet, Merkspy operates covertly to monitor users’ activities, steal confidential information, and maintain a persistent presence on infected systems. The attack begins with the opening of a Microsoft Word document containing a job description for a programmer vacancy. This action triggers the vulnerability (CVE-2021-40444), allowing remote code execution without user interaction.
Upon execution, an HTML file named “Olener.html” is downloaded from a remote server, which then triggers a built-in shell-code after checking the operating system version. The shell-code utilizes the “VirtualProtect” function to change memory permissions, enabling the recording of a decoded shell-code in memory. Subsequently, the “Createthread” function executes the injected shell-code, facilitating the loading and execution of further malicious code from the attacker’s server.
The shell-code loads a file named “Googleupdate,” which actually contains a payload injector designed to evade antivirus detection and load Merkspy into the system’s memory. Merkspy maintains its presence on the infected device by making changes to the Windows Registry, ensuring automatic startup upon system boot. The spyware is capable of capturing screenshots, logging keystrokes, harvesting stored login data from Google Chrome, and extracting information from the Metamask browser extension for managing cryptocurrencies. All the collected data is then sent to the attacker’s server.
Fortinet emphasizes the sophistication of modern cyber attacks, showcasing how seemingly routine tasks like reviewing job resumes can be exploited by malicious actors. This incident highlights the critical need for a holistic approach to cybersecurity, which should encompass not only technical defenses but also an increase in employee awareness about potential cyber risks.