Spyware is malicious software engineered to covertly monitor and gather information from a user’s computer without their awareness or consent. It can record activities like keystrokes, browsing behavior, and personal information, often transmitting this data to a third party for espionage or theft.
FortiGuard Labs recently detected an attack exploiting the CVE-2021-40444 vulnerability in Microsoft Office. This flaw allows attackers to execute malicious code via specially crafted documents. In this instance, the exploitation led to deploying a spyware payload known as “MerkSpy.” MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems.[1]
This blog will dissect the stages of this complex attack, offering insights into the techniques used by cybercriminals to infiltrate systems and steal sensitive data.
Attack flow
CVE-2021-40444 Exploitation - The initial vector for this attack is a deceptive Microsoft Word document posing as a job description for a software developer position.
Word document
Opening the document triggers the exploitation of CVE-2021-40444, a remote code execution vulnerability within the MSHTML component used by Internet Explorer in Microsoft Office. This vulnerability permits an attacker to execute arbitrary code on a victim’s machine without additional user interaction beyond opening the document. The attacker conceals the URL within the “\_rels\document.xml” file. It directs to hxxp://45[.]89[.]53[.]46/google/olerender[.]html, downloading an HTML file that sets the stage for the next phase of the attack.
\_rels\document.xml
ShellCode Preparation—After the successful exploitation, the malicious document initiates the downloaded payload, “olerender.html,” from a remote server. This HTML file is strategically crafted, with an innocuous script filling the beginning to mask its true intent. The end of file conceals the shellcode and injection process, which propels the attack forward when executed on the victim’s machine.
olerender.html
Code at the end of olerender.html
“olerender.html” first checks the system’s OS version. If it detects an X64 architecture, it extracts the embedded “sc_x64” shellcode.
OS checking
After determining the OS version and extracting the appropriate shellcode, “olerender.html” locates and retrieves the Windows APIs “VirtualProtect” and “CreateThread.” These functions are crucial for the following steps: it leverages “VirtualProtect” to modify memory permissions, allowing the decoded shellcode to be written into memory securely. Following this, “CreateThread” executes the injected shellcode, setting the stage for downloading and executing the next payload from the attacker’s server. This process ensures that the malicious code runs seamlessly, facilitating further exploitation.Retrieving the Windows APIs
Decoding the shellcode via XOR
Writing and invoking the shellcode
ShellCode - Once the shellcode is in place, it functions as a downloader, initiating the next phase of the attack. It reaches out to the same remote server to fetch a file, deceptively named “GoogleUpdate.” Despite its seemingly innocuous name, “GoogleUpdate” is far from benign. This file harbors the core malicious payload, which is deeply encoded to evade detection by standard security measures. Upon successful download, the shellcode meticulously decodes and prepares this payload for execution.
Downloaded "GoogleUpdate"
Once “GoogleUpdate” is downloaded, the shellcode decodes the file using an XOR key of 0x25021420 and an increment value of 0x00890518. This decryption process is crucial as it extracts the concealed actual payload embedded within the file. By employing these specific cryptographic techniques, the shellcode ensures that the malicious content remains hidden, allowing the attacker to execute their intended operations on the compromised system effectively.
XOR-decoded file and its payload injection
MerkSpy - The extracted payload is protected with VMProtect. Its primary function is seamlessly injecting the MerkSpy spyware into crucial system processes. MerkSpy spyware operates covertly within a system, enabling it to capture sensitive information, monitor user activities, and exfiltrate data to remote servers controlled by malicious actors.
A file's information shown using the DIE (Detect It Easy) tool
MerkSpy achieves persistence by masquerading as “Google Update,” adding a registry entry for “GoogleUpdate.exe” in “Software\Microsoft\Windows\CurrentVersion\Run.” This deceptive tactic ensures that MerkSpy launches automatically at system startup, enabling continuous operation and data exfiltration without the user’s knowledge or consent.
Creating a registry entry
Following its installation, MerkSpy initiates the exfiltration process and begins monitoring specific targets: capturing screenshots, logging keystrokes, retrieving Chrome login credentials, and accessing the MetaMask extension. Once it gathers this data, MerkSpy uploads the collected information to the attacker’s server through the URL hxxp://45[.]89[.]53[.]46/google/update[.]php.
Switch cases of monitoring a compromised endpoint
The POST request employs a user agent string of “WINDOWS” and uses a fixed boundary, “---------------------------update request,” indicating it is a multi-part form-data submission. The request body is comprised of multiple parts:
“id”—Specifies the client ID, which includes the computer’s hostname and the user’s name.
“check”—A status flag indicating the check-in.
“key”— Contains the data captured by the keystroke logger. When uploading a large file, this parameter serves as an index for the uploading file.
“fileToUpload[]” - Represents an uploaded file, such as extracted login credentials or a screenshot.
Based on telemetry from the C2 server at “45[.]89[.]53[.]46,” a significant activity spike began at the end of May 2024, primarily targeting North America and India.
Telemetry
Conclusion - The initial phase of the attack leverages a vulnerability in the MSHTML component used by Internet Explorer. Upon exploitation, it initiates the download of a file named “olerender.html,” which contains JavaScript and embedded shellcode. This shellcode decodes the downloaded content to execute an injector responsible for loading the MerkSpy spyware into memory and integrating it with active system processes. MerkSpy is capable of sophisticated surveillance activities, including keystroke logging, screenshot capture, and harvesting Chrome browser login data. By understanding the intricacies of this attack chain, organizations can enhance their readiness and deploy effective defenses against such intrusions. FortiGuard Labs remains vigilant in monitoring these threats and offers ongoing intelligence to safeguard our users.
IOCs
IP Addresses
45[.]89[.]53[.]46
Files
92eb60179d1cf265a9e2094c9a54e025597101b8a78e2a57c19e4681df465e08
95a3380f322f352cf7370c5af47f20b26238d96c3ad57b6bc972776cc294389a
0ffadb53f9624950dea0e07fcffcc31404299230735746ca43d4db05e4d708c6
dd369262074466ce937b52c0acd75abad112e395f353072ae11e3e888ac132a8
569f6cd88806d9db9e92a579dea7a9241352d900f53ff7fe241b0006ba3f0e22
6cdc2355cf07a240e78459dd4dd32e26210e22bf5e4a15ea08a984a5d9241067
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.fortinet.com/blog/threat-research/merkspy-exploiting-cve-2021-40444-to-infiltrate-systems/
Comments