FortiGuard Labs dissected MerkSpy, a spyware campaign exploiting CVE-2021-40444 in Microsoft Office to silently compromise Windows systems. The attack chain downloads and decodes a loader, injects MerkSpy into memory, and exfiltrates keystrokes, screenshots, and Chrome credentials while persisting at startup. #MerkSpy #CVE-2021-40444 #GoogleUpdate #ChromeCredentials #MetaMask
Keypoints
- MerkSpy campaign uses CVE-2021-40444 in a malicious Word document masquerading as a software developer job description.
- Opening the document triggers remote code execution in MSHTML, leading to stage two payloads downloaded from a remote server.
- The attacker delivers olerender.html, which contains an embedded shellcode and a memory-injection step.
- Shellcode locates Windows APIs (VirtualProtect and CreateThread) to write and execute the decoded payload.
- The final payload, MerkSpy, is VMProtect-protected spyware capable of keylogging, screen capture, and credential theft.
- MerkSpy persists via a Run key masquerading as GoogleUpdate and exfiltrates data to 45.89.53.46 using HTTP POST to google/update.php.
- Fortinet protections include FortiGuard AV signatures, CDR disarming macros, NSE training, and IP reputation services.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The initial vector is a deceptive Microsoft Word document posing as a job description for a software developer position. ‘The initial vector for this attack is a deceptive Microsoft Word document posing as a job description for a software developer position.’
- [T1203] Exploitation for Client Execution – Opening the document triggers the exploitation of CVE-2021-40444, a remote code execution vulnerability within the MSHTML component used by Internet Explorer in Microsoft Office. ‘Opening the document triggers the exploitation of CVE-2021-40444, a remote code execution vulnerability…’
- [T1105] Ingress Tool Transfer – The attacker downloads an HTML file (olerender.html) from a remote server to stage the attack. ‘downloads an HTML file that sets the stage for the next phase of the attack.’
- [T1055] Process Injection – The shellcode uses Windows APIs VirtualProtect and CreateThread to modify memory and execute injected code. ‘locates and retrieves the Windows APIs “VirtualProtect” and “CreateThread.”’
- [T1027] Deobfuscate/Decode Files or Information – The shellcode decodes the downloaded payload via XOR. ‘Decoding the shellcode via XOR’
- [T1056.001] Input Capture – MerkSpy collects keystrokes as part of its surveillance. ‘capturing keystrokes.’
- [T1113] Screen Capture – MerkSpy captures screenshots. ‘monitoring specific targets: capturing screenshots’
- [T1555.003] Credentials from Web Browsers – The malware exfiltrates Chrome login credentials. ‘retrieving Chrome login credentials’
- [T1547.001] Registry Run Keys/Startup Folder – Persistence is achieved by creating a Run entry masquerading as GoogleUpdate.exe. ‘masquerading as “Google Update,” adding a registry entry for “GoogleUpdate.exe” in “SoftwareMicrosoftWindowsCurrentVersionRun.”’
- [T1071.001] Web Protocols – Exfiltration uses HTTP POST to the attacker server (C2). ‘The POST request… to the attacker’s server’
- [T1036] Masquerading – The malware masquerades as legitimate Google Update to blend in. ‘masquerading as “Google Update”’
Indicators of Compromise
- [IP Address] C2 server – 45.89.53.46
- [URLs] Download and exfiltration endpoints – http://45.89.53.46/google/olerender.html, http://45.89.53.46/google/update.php
- [Files] Sample hashes observed for malicious components – 92eb60179d1cf265a9e2094c9a54e025597101b8a78e2a57c19e4681df465e08, 95a3380f322f352cf7370c5af47f20b26238d96c3ad57b6bc972776cc294389a, 0ffadb53f9624950dea0e07fcffcc31404299230735746ca43d4db05e4d708c6, dd369262074466ce937b52c0acd75abad112e395f353072ae11e3e888ac132a8, 569f6cd88806d9db9e92a579dea7a9241352d900f53ff7fe241b0006ba3f0e22, 6cdc2355cf07a240e78459dd4dd32e26210e22bf5e4a15ea08a984a5d9241067