Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

Summary:
A recent attack campaign exploited a now-patched vulnerability (CVE-2021-40444) in Microsoft Office's MSHTML component to deliver MerkSpy spyware. This spyware primarily targeted users in Canada, India, Poland, and the U.S. The attackers meticulously crafted a deceptive Microsoft Word document disguised as a software developer job description to trick users into initiating the exploit. Once a user opened the malicious document, the vulnerability allowed attackers to execute arbitrary code and download a subsequent payload named "olerender.html." This HTML file cleverly concealed malicious shellcode designed to inject MerkSpy spyware into the system. MerkSpy operated covertly within compromised systems, enabling it to capture sensitive information like login credentials, monitor user activities through keystroke logging and screenshots, and exfiltrate stolen data to remote servers controlled by the attackers. To maintain persistence, MerkSpy masqueraded as a legitimate application named "GoogleUpdate.exe" and added a registry entry to ensure automatic launch at system startup. This tactic allowed for continuous data theft without the user's knowledge or consent.

Security Officer Comments:
This campaign emphasizes the persistent threat posed by unpatched vulnerabilities and social engineering tactics. Even though Microsoft patched CVE-2021-40444, attackers may still target outdated systems. Users should exercise caution when opening email attachments, especially those from unknown senders, and ensure their software is up-to-date with the latest security patches. Organizations can add a layer of protection by implementing email filtering solutions to block malicious attachments and by educating employees on recognizing phishing attempts.

The multi-stage attack chain employed in this campaign showcases the attacker's sophistication. The initial HTML file ("olerender.html") obfuscated the malicious payload using innocuous script, making it difficult for traditional security measures to detect. Additionally, MerkSpy's persistence mechanisms, such as masquerading as a legitimate application and adding a registry entry, further complicate its removal from compromised systems. Security teams should leverage endpoint detection and response (EDR) solutions to identify and swiftly respond to such threats.

Suggested Corrections:
IOCs for this threat campaign are published here.

  • Patch Management: Ensure all systems are promptly updated with the latest security patches, especially those addressing the exploited vulnerability (CVE-2021-40444). Patch management should be a continuous process.
  • User Awareness Training: Educate employees on recognizing phishing attempts. Train them to be wary of unsolicited attachments, even if they appear legitimate, such as job descriptions.
  • Email Filtering: Implement email filtering solutions to block malicious attachments containing exploits or malware.
  • Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor system activity and identify suspicious behavior indicative of malware infection.
  • Multi-Factor Authentication (MFA): Implement MFA as an additional layer of security for user logins. For the most effective security posture, utilize Who-you-are authentication factors that are more difficult to steal

Link(s):
https://thehackernews.com/2024/07/microsoft-mshtml-flaw-exploited-to.html