MerkSpy (Spyware) – Malware

MerkSpy
Type of Malware	Spyware
Country of Origin	Unknown
Date of Initial Activity	2024
Targeted Countries	Unknown
Associated Groups	Unknown
Motivation	Data Theft
Attack Vectors	Phishing Software Vulnerabilities
Type of Information Stolen	System Information Login credentials Personally Identifiable Information (PII)
Targeted Systems	Windows

Overview

MerkSpy represents a sophisticated and insidious form of spyware that exploits a critical vulnerability in Microsoft Office to infiltrate and compromise systems. This malware is particularly notable for its ability to operate covertly and effectively, making it a significant threat to both individual users and organizations. The initial attack vector for MerkSpy leverages the CVE-2021-40444 vulnerability within the MSHTML component of Microsoft Office, which allows attackers to execute arbitrary code through specially crafted documents. Once the vulnerability is exploited, MerkSpy’s payload is delivered via a seemingly innocuous HTML file. This file is designed to bypass traditional security measures by embedding malicious code within otherwise harmless content. The infection process is meticulously crafted to avoid detection, utilizing techniques such as shellcode injection and advanced obfuscation methods to remain hidden from standard antivirus solutions.

Targets

Information Individuals

How they operate

The initial vector of MerkSpy involves a malicious Microsoft Word document designed to exploit CVE-2021-40444, a critical vulnerability in the MSHTML component used by Internet Explorer. This vulnerability allows attackers to execute arbitrary code on the victim’s machine merely by opening the document. Once the document is opened, it triggers a chain of events that begins with the download of an HTML file named “olerender.html” from a remote server. This HTML file, while appearing benign, contains embedded shellcode that initiates the subsequent stages of the attack. Upon execution, “olerender.html” performs a series of actions to deploy the malware. It first verifies the victim’s operating system and extracts the appropriate shellcode based on whether the system is 32-bit or 64-bit. The shellcode then utilizes Windows APIs such as “VirtualProtect” and “CreateThread” to manipulate memory and execute further malicious payloads. This process includes downloading a file misleadingly named “GoogleUpdate,” which harbors the core MerkSpy spyware. This file is heavily obfuscated using XOR encryption to evade detection by traditional security measures. MerkSpy’s functionality is designed for stealth and persistence. Once installed, it masquerades as a legitimate process by creating a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, ensuring it runs automatically at system startup. MerkSpy then begins its surveillance operations, which include capturing keystrokes, taking screenshots, and harvesting sensitive data such as Chrome login credentials and MetaMask extension information. The stolen data is exfiltrated to the attacker’s server via HTTP POST requests, ensuring that critical information is continuously sent back to the cybercriminals. The operation of MerkSpy showcases the malware’s sophisticated use of obfuscation, exploitation, and persistence techniques. By exploiting a critical vulnerability, employing complex shellcode injection, and maintaining stealth through disguise and encryption, MerkSpy represents a significant threat to users and organizations. Understanding these techniques is crucial for developing effective defenses and mitigating the risks posed by such advanced malware.

MITRE Tactics and Techniques

Initial Access:

T1193: Spear Phishing Link: MerkSpy is delivered through a malicious Microsoft Word document exploiting the CVE-2021-40444 vulnerability, which is a form of spear phishing.

Execution:

T1203: Exploitation for Client Execution: The exploitation of CVE-2021-40444 falls under this technique, allowing execution of malicious code when the document is opened. T1064: Scripting: The HTML file (olerender.html) contains embedded shellcode and scripts that perform further actions, including downloading additional payloads.

Persistence:

T1547: Boot or Logon Autostart Execution: MerkSpy achieves persistence by masquerading as “GoogleUpdate” and creating a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

Defense Evasion:

T1027: Obfuscated Files or Information: MerkSpy employs obfuscation techniques, including XOR encryption, to hide its malicious payloads and evade detection. T1070: Indicator Removal on Host: The use of registry modifications to hide the malware’s presence can be considered a defense evasion technique.

Collection:

T1056: Input Capture: MerkSpy captures keystrokes as part of its data collection efforts. T1113: Screen Capture: The malware takes screenshots to gather information from the infected system.