Unknown threat actors have been seen using a now-patched security hole in Microsoft MSHTML to distribute a spying tool called MerkSpy as part of a campaign mainly targeting users in Canada, India, Poland, and the U.S.
"MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard Labs analyst Cara Lin stated in a study released last week.
The beginning point of the attack chain is a Microsoft Word document that apparently offers a job description for a software engineer vacancy.
But viewing the file initiates the exploitation of CVE-2021-40444, a high-severity issue in MSHTML that might result in remote code execution without needing any user involvement. It was resolved by Microsoft as part of Patch Tuesday updates published in September 2021.
In this example, it opens the way for the download of an HTML file ("olerender.html") from a remote server that, in turn, triggers the execution of an embedded shellcode after validating the operating system version.
"Olerender.html" takes use of "'VirtualProtect' to modify memory permissions, allowing the decoded shellcode to be written into memory securely," Lin revealed.
"Following this, 'CreateThread' runs the injected shellcode, setting the scene for downloading and executing the next payload from the attacker's site. This technique guarantees that the infected code runs flawlessly, encouraging future exploitation."
The shellcode acts as a downloader for a file that's cleverly dubbed "GoogleUpdate" but, in fact, hides an injector payload responsible for escaping detection by security software and installing MerkSpy into memory.
The malware creates persistence on the host using Windows Registry modifications so that it's started automatically upon system restart. It also comes with capabilities to clandestinely gather sensitive information, monitor user actions, and exfiltrate data to remote servers under the threat actors' control.
This includes screenshots, keystrokes, login credentials kept in Google Chrome, and data from the MetaMask browser plugin. All this information is delivered to the URL "45.89.53[.]46/google/update[.]php."
The development comes as Symantec detailed a smishing campaign targeting users in the U.S. with sketchy SMS messages that purport to be from Apple and aim to trick them into clicking on bogus credential harvesting pages ("signin.authen-connexion[.]info/icloud") in order to continue using the services.
"The malicious website is accessible from both desktop and mobile browsers," the Broadcom-owned business stated. "To provide a layer of apparent validity, they have incorporated a CAPTCHA that users must complete. After this, visitors are sent to a website that replicates an obsolete iCloud login design."
