MerkSpy Targeting Canada, India and US

Steps involved in this attack:

Step 1:

The starting point of the attack chain is a Microsoft Word document that ostensibly contains a job description for a software engineer role. A remote code execution vulnerability in the MSHTML component used by Internet Explorer in Microsoft Office is exploited when the document is opened. This vulnerability is known as CVE-2021-40444. With no more user input required beyond opening the document, this vulnerability enables an attacker to run arbitrary code on a victim’s computer. Using the file “\_rels\document.xml,” the attacker hides the URL. After downloading an HTML file that prepares the system for the upcoming assault phase, it points to hxxp://45[.]89[.]53[.]46/google/olerender[.]html.

Step 2:

Following a successful exploit, the infected document starts downloading “olerender.html,” the payload, from a remote site. This HTML file has been carefully constructed, with harmless script occupying the beginning to conceal its real purpose. When the attack is run on the victim’s computer, the shellcode and injection procedure are hidden at the end of the file.
The OS version of the system is initially checked by “olerender.html”. The embedded “sc_x64” shellcode is extracted if an X64 architecture is identified.

Following the extraction of the relevant shellcode and determination of the OS version, “olerender.html” finds and obtains the Windows APIs “VirtualProtect” and “CreateThread.” These features are essential for the subsequent actions: It makes use of “VirtualProtect” to change memory permissions so that the decrypted shellcode can be safely written into memory. The injected shellcode is then executed by “CreateThread,” which prepares the system for downloading and running the next payload from the attacker’s server. This procedure makes sure the malicious code functions without a hitch, which makes it easier to exploit further.

Step 3:

After the shellcode is installed, it acts as a downloader to start the subsequent attack phase. It connects to the same distant server in order to retrieve a file with the fictitious name “GoogleUpdate.” Even with such a pleasant name, “GoogleUpdate” is anything but. The main malicious payload is contained in this file and is heavily encoded to avoid being discovered by common security tools. The shellcode carefully decodes and gets this payload ready for execution after it has been downloaded successfully.

Following the download of “GoogleUpdate,” the file is decoded by the shellcode using an increment value of 0x00890518 and an XOR key of 0x25021420. This decryption procedure is essential because it retrieves the hidden payload that is embedded in the file. The shellcode makes sure that the malicious material stays concealed by using these particular cryptographic approaches, which gives the attacker the ability to successfully carry out their desired actions on the compromised system.

Step 4:

VMProtect protects the extracted payload. Its main purpose is to invisibly insert the malicious software MerkSpy into essential system operations. Operating surreptitiously within a system, MerkSpy spyware allows it to exfiltrate data to distant servers under the direction of malevolent individuals, watch user actions, and gather sensitive information.

By posing as “Google Update” and inserting a registry entry for “GoogleUpdate.exe” in “Software\Microsoft\Windows\CurrentVersion\Run,” MerkSpy is able to remain persistent. By using this dishonest method, MerkSpy is guaranteed to start up immediately as the device boots up, allowing for ongoing operation and data exfiltration without the user’s awareness or permission.
When MerkSpy is installed, it starts the exfiltration process and starts watching over particular targets. These targets include taking screenshots, recording keystrokes, getting Chrome login credentials, and opening the MetaMask plugin. After obtaining this data, MerkSpy transfers the data to the attacker’s server through VMProtect protects the extracted payload. Its main purpose is to invisibly insert the malicious software MerkSpy into essential system operations. Operating surreptitiously within a system, MerkSpy spyware allows it to exfiltrate data to distant servers under the direction of malevolent individuals, watch user actions, and gather sensitive information.

By posing as “Google Update” and inserting a registry entry for “GoogleUpdate.exe” in “Software\Microsoft\Windows\CurrentVersion\Run,” MerkSpy is able to remain persistent. By using this dishonest method, MerkSpy is guaranteed to start up immediately as the device boots up, allowing for ongoing operation and data exfiltration without the user’s awareness or permission.
When MerkSpy is installed, it starts the exfiltration process and starts watching over particular targets. These targets include taking screenshots, recording keystrokes, getting Chrome login credentials, and opening the MetaMask plugin. After obtaining this data, MerkSpy transfers the data to the attacker’s server through hxxp://45[.]89[.]53[.]46/google/update[.]php.

The POST request indicates that it is a multi-part form-data submission by using a fixed boundary, “————————update request,” and a user agent string of “WINDOWS”. The body of the request is divided into several sections:

1. “id”—Denotes the client ID, which consists of the user’s name and the hostname of the computer.
2. “check”: A flag that indicates the check-in status.
3. “key”: Holds the information that the keystroke logger recorded. This parameter acts as an index for the file being uploaded when uploading a huge file.
4. “fileToUpload[]” – Indicates an uploaded file, like a screenshot or an extracted login.

Final Thoughts:

Through comprehension of this assault chain’s complexities, businesses can improve their preparedness and implement efficient security mechanisms against these kinds of breaches.