Exploiting CVE-2021-40444 to Infiltrate Systems
July 2, 2024, 8:19 a.m.
Tags
External References
Description
A recently detected attack exploited a vulnerability in Microsoft Office to deploy spyware called MerkSpy. The initial vector was a deceptive Word document posing as a job description. Opening it triggered the exploitation of CVE-2021-40444, allowing arbitrary code execution. This downloaded an HTML file to prepare shellcode, which then fetched a file called GoogleUpdate containing the MerkSpy payload. MerkSpy captures sensitive information like keystrokes and screenshots, exfiltrating the data to a remote server.
Date
Published: July 2, 2024, 8:09 a.m.
Created: July 2, 2024, 8:09 a.m.
Modified: July 2, 2024, 8:19 a.m.
Indicators
92eb60179d1cf265a9e2094c9a54e025597101b8a78e2a57c19e4681df465e08
569f6cd88806d9db9e92a579dea7a9241352d900f53ff7fe241b0006ba3f0e22
0ffadb53f9624950dea0e07fcffcc31404299230735746ca43d4db05e4d708c6
45.89.53.46
http://45.89.53.46/google/update.php
http://45.89.53.46/google/olerender.html
Attack Patterns
MerkSpy
T1115
T1027
T1056
T1566
T1003
CVE-2021-40444