noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Technology

Fortinet Inc.

06/27/2024 | Press release | Distributed by Public on 06/27/2024 09:04

MerkSpy: Exploiting CVE 2021 40444 to Infiltrate Systems

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High

Spyware is malicious software engineered to covertly monitor and gather information from a user's computer without their awareness or consent. It can record activities like keystrokes, browsing behavior, and personal information, often transmitting this data to a third party for espionage or theft.

FortiGuard Labs recently detected an attack exploiting the CVE-2021-40444 vulnerability in Microsoft Office. This flaw allows attackers to execute malicious code via specially crafted documents. In this instance, the exploitation led to the deployment of a spyware payload known as "MerkSpy." MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems.

This blog will dissect the stages of this complex attack, offering insights into the techniques used by cybercriminals to infiltrate systems and steal sensitive data.

CVE-2021-40444 Exploitation

The initial vector for this attack is a deceptive Microsoft Word document posing as a job description for a software developer position.

Opening the document triggers the exploitation of CVE-2021-40444, a remote code execution vulnerability within the MSHTML component used by Internet Explorer in Microsoft Office. This vulnerability permits an attacker to execute arbitrary code on a victim's machine without additional user interaction beyond opening the document. The attacker conceals the URL within the "\_rels\document.xml" file. It directs to hxxp://45[.]89[.]53[.]46/google/olerender[.]html, downloading an HTML file that sets the stage for the next phase of the attack.

Figure 3: \_rels\document.xml

ShellCode Preparation

After the successful exploitation, the malicious document initiates the downloaded payload, "olerender.html," from a remote server. This HTML file is strategically crafted, with innocuous script filling the beginning to mask its true intent. The end of the file conceals the shellcode and injection process, which propels the attack forward when executed on the victim's machine.

Figure 5: Code at the end of olerender.html

"olerender.html" first checks the system's OS version. If it detects an X64 architecture, it extracts the embedded "sc_x64" shellcode.

After determining the OS version and extracting the appropriate shellcode, "olerender.html" locates and retrieves the Windows APIs "VirtualProtect" and "CreateThread." These functions are crucial for the following steps: it leverages "VirtualProtect" to modify memory permissions, allowing the decoded shellcode to be written into memory securely. Following this, "CreateThread" executes the injected shellcode, setting the stage for downloading and executing the next payload from the attacker's server. This process ensures that the malicious code runs seamlessly, facilitating further exploitation.

Figure 7: Retrieving the Windows APIs

Figure 8: Decoding the shellcode via XOR

Figure 9: Writing and invoking the shellcode

ShellCode

Once the shellcode is in place, it functions as a downloader, initiating the next phase of the attack. It reaches out to the same remote server to fetch a file, deceptively named "GoogleUpdate." Despite its seemingly innocuous name, "GoogleUpdate" is far from benign. This file harbors the core malicious payload, which is deeply encoded to evade detection by standard security measures. Upon successful download, the shellcode meticulously decodes and prepares this payload for execution.

Figure 10: Downloaded "GoogleUpdate"

Once "GoogleUpdate" is downloaded, the shellcode decodes the file using an XOR key of 0x25021420 and an increment value of 0x00890518. This decryption process is crucial as it extracts the concealed actual payload embedded within the file. By employing these specific cryptographic techniques, the shellcode ensures that the malicious content remains hidden, allowing the attacker to execute their intended operations on the compromised system effectively.

Figure 11: XOR-decoded file and its payload injection

MerkSpy

The extracted payload is protected with VMProtect. Its primary function is seamlessly injecting the MerkSpy spyware into crucial system processes. MerkSpy spyware operates covertly within a system, enabling it to capture sensitive information, monitor user activities, and exfiltrate data to remote servers controlled by malicious actors.

Figure 12: A file's information shown using the DIE (Detect It Easy) tool

MerkSpy achieves persistence by masquerading as "Google Update," adding a registry entry for "GoogleUpdate.exe" in "Software\Microsoft\Windows\CurrentVersion\Run." This deceptive tactic ensures that MerkSpy launches automatically at system startup, enabling continuous operation and data exfiltration without the user's knowledge or consent.

Figure 13: Creating a registry entry

Following its installation, MerkSpy initiates the exfiltration process and begins monitoring specific targets: capturing screenshots, logging keystrokes, retrieving Chrome login credentials, and accessing the MetaMask extension. Once it gathers this data, MerkSpy uploads the collected information to the attacker's server through the URL hxxp://45[.]89[.]53[.]46/google/update[.]php.

Figure 14: Switch cases of monitoring a compromised endpoint

The POST request employs a user agent string of "WINDOWS" and uses a fixed boundary, "---------------------------update request," indicating it is a multi-part form-data submission. The request body is comprised of multiple parts:

"id"-Specifies the client ID, which includes the computer's hostname and the user's name.
"check"-A status flag indicating the check-in.

"key"-Contains the data captured by the keystroke logger. When uploading a large file, this parameter serves as an index for the uploading file.

"fileToUpload[]" - Represents an uploaded file, such as extracted login credentials or a screenshot.

Based on telemetry from the C2 server at "45[.]89[.]53[.]46," a significant activity spike began at the end of May, primarily targeting North America and India.

Conclusion

The initial phase of the attack leverages a vulnerability in the MSHTML component used by Internet Explorer. Upon exploitation, it initiates the download of a file named "olerender.html," which contains JavaScript and embedded shellcode. This shellcode decodes the downloaded content to execute an injector responsible for loading the MerkSpy spyware into memory and integrating it with active system processes. MerkSpy is capable of sophisticated surveillance activities, including keystroke logging, screenshot capture, and harvesting Chrome browser login data. By understanding the intricacies of this attack chain, organizations can enhance their readiness and deploy effective defenses against such intrusions. FortiGuard Labs remains vigilant in monitoring these threats and offers ongoing intelligence to safeguard our users.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

MSOffice/Agent.AN!tr

HTML/Agent.SC!tr

Data/Agent.C1FT!tr

W64/Injector.SRQ!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

The FortiGuard CDR (content disarm and reconstruction) service, which runs on both FortiGate and FortiMail, can disarm the malicious macros in the document.

We also suggest that organizations go through Fortinet's free NSE training module: NSE 1 - Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

IP Addresses

45[.]89[.]53[.]46

Files

92eb60179d1cf265a9e2094c9a54e025597101b8a78e2a57c19e4681df465e08

95a3380f322f352cf7370c5af47f20b26238d96c3ad57b6bc972776cc294389a

0ffadb53f9624950dea0e07fcffcc31404299230735746ca43d4db05e4d708c6

dd369262074466ce937b52c0acd75abad112e395f353072ae11e3e888ac132a8

569f6cd88806d9db9e92a579dea7a9241352d900f53ff7fe241b0006ba3f0e22

6cdc2355cf07a240e78459dd4dd32e26210e22bf5e4a15ea08a984a5d9241067

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format