Cybersecurity researchers at FortiGuard Labs have discovered a sophisticated cyberattack that exploits a known vulnerability in Microsoft Office to distribute a powerful spyware called MerkSpy. This insidious malware is designed to infiltrate systems, monitor user activity, and steal sensitive information, posing a significant threat to individuals and organizations.
Description of the attack
- Attack Vehicle: The attack begins with a seemingly innocuous Microsoft Word document, often disguised as a job advert or other enticing content.
- Vulnerability Exploitation: Upon opening the document, the vulnerability (CVE-2021-40444) is triggered, allowing attackers to execute malicious code and download additional payloads.
- Malicious files: The malicious document triggers the download of the “olerender.html” file from a remote server. This HTML file is carefully crafted, with an initially benign script to mask its true purpose. The final part of the file hides the shell code and injection process, which progress the attack once executed on the victim’s computer.
Attack mechanism
The file “olerender.html” checks the operating system version. If it detects an X64 architecture, it extracts the “sc_x64” shell code.
After determining the operating system version and extracting the appropriate shell code, “olerender.html” locates and retrieves the “VirtualProtect” and “CreateThread” Windows APIs.
VirtualProtect: changes memory permissions, allowing decoded shellcode to be safely written to memory.
CreateThread: executes the injected shell code, setting the stage for the subsequent download of the payload from the attackers' server.
See also
MerkSpy Spyware Features
- Functionality: MerkSpy is a powerful tool in the hands of cybercriminals, capable of silently recording keystrokes, capturing screenshots, and even stealing login credentials from popular web browsers like Chrome.
- Data transmission: The stolen information is transmitted to the attackers' servers, potentially compromising personal and financial data.
Observations and recommendations
- Geographical areas affected: The attack was observed in North America and India, highlighting the global reach of this threat.
- Protective measures: FortiGuard Labs urges individuals and organizations to remain vigilant and take proactive measures to protect themselves, including keeping software updated, exercising caution when opening attachments from unknown sources, and implementing robust security solutions.
Cara Lin, senior researcher at FortiGuard Labs, said: “This shell code decodes the downloaded content to run an injector responsible for loading the MerkSpy spyware into memory and integrating it with active system processes. MerkSpy is capable of sophisticated surveillance activities, including keystroke logging, screen capture, and Chrome browser login data collection.”
GIPHY App Key not set. Please check settings