Back

Exploiting CVE-2021-40444 to Infiltrate Systems

July 2, 2024, 8:19 a.m.

Tags

vulnerability
spyware
keylogger
2024-07-02
information theft
CVE-2021-40444
merkspy

External References

https://www.fortinet.com/

https://otx.alienvault.com/

Description

A recently detected attack exploited a vulnerability in Microsoft Office to deploy spyware called MerkSpy. The initial vector was a deceptive Word document posing as a job description. Opening it triggered the exploitation of CVE-2021-40444, allowing arbitrary code execution. This downloaded an HTML file to prepare shellcode, which then fetched a file called GoogleUpdate containing the MerkSpy payload. MerkSpy captures sensitive information like keystrokes and screenshots, exfiltrating the data to a remote server.

Date

Published Created Modified
July 2, 2024, 8:09 a.m. July 2, 2024, 8:09 a.m. July 2, 2024, 8:19 a.m.

Indicators

92eb60179d1cf265a9e2094c9a54e025597101b8a78e2a57c19e4681df465e08

569f6cd88806d9db9e92a579dea7a9241352d900f53ff7fe241b0006ba3f0e22

0ffadb53f9624950dea0e07fcffcc31404299230735746ca43d4db05e4d708c6

45.89.53.46

http://45.89.53.46/google/update.php

http://45.89.53.46/google/olerender.html

Attack Patterns

MerkSpy

T1115

T1027

T1056

T1566

T1003

CVE-2021-40444