Monday , March 31 2025
diagram

MerkSpy Exploits Microsoft Office Vulnerability: FortiGuard report

FortiGuard Labs found an attack that uses the CVE-2021-40444 vulnerability in Microsoft Office. This flaw lets attackers run harmful code through specific documents. The attack deployed a spyware called “MerkSpy” which secretly watches user activities, collects sensitive information, and stays on compromised systems.

The attack starts with a harmless-looking Microsoft Word document, usually pretending to be a job posting or something else interesting. When the document is opened, it triggers a vulnerability (CVE-2021-40444) that lets the attackers run harmful code and download more harmful software.

CVE-2025-1268
Patch urgently! Canon Fixes Critical Printer Driver Flaw

Canon has announced a critical security vulnerability, CVE-2025-1268, in printer drivers for its production printers, multifunction printers, and laser printers....
Read More
CVE-2025-1268  Patch urgently! Canon Fixes Critical Printer Driver Flaw

Within Minute, RamiGPT To Escalate Privilege Gaining Root Access

RamiGPT is an AI security tool that targets root accounts. Using PwnTools and OpwnAI, it quickly navigated privilege escalation scenarios...
Read More
Within Minute, RamiGPT To Escalate Privilege Gaining Root Access

Australian fintech database exposed in 27000 records

Cybersecurity researcher Jeremiah Fowler recently revealed a sensitive data exposure involving the Australian fintech company Vroom by YouX, previously known...
Read More
Australian fintech database exposed in 27000 records

Over 200 Million Info Leaked Online Allegedly Belonging to X

Safety Detectives' Cybersecurity Team found a forum post where a threat actor shared a .CSV file with over 200 million...
Read More
Over 200 Million Info Leaked Online Allegedly Belonging to X

FBI investigating cyberattack at Oracle, Bloomberg News reports

The Federal Bureau of Investigation (FBI) is probing the cyberattack at Oracle (ORCL.N), opens new tab that has led to...
Read More
FBI investigating cyberattack at Oracle, Bloomberg News reports

OpenAI Offering $100K Bounties for Critical Vulns

OpenAI has increased its maximum bug bounty payout to $100,000, up from $20,000, to encourage the discovery of critical vulnerabilities...
Read More
OpenAI Offering $100K Bounties for Critical Vulns

Splunk Alert User RCE and Data Leak Vulns

Splunk has released a security advisory about critical vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. These issues could lead...
Read More
Splunk Alert User RCE and Data Leak Vulns

CIRT alert Situational Awareness for Eid Holidays

As the Eid holidays near, cybercriminals may try to take advantage of weakened security during this time. The CTI unit...
Read More
CIRT alert Situational Awareness for Eid Holidays

Cyberattack on Malaysian airports: PM rejected $10 million ransom

Operations at Kuala Lumpur International Airport (KLIA) were unaffected by a cyber attack in which hackers demanded US$10 million (S$13.4...
Read More
Cyberattack on Malaysian airports: PM rejected $10 million ransom

Micropatches released for Windows zero-day leaking NTLM hashes

Unofficial patches are available for a new Windows zero-day vulnerability that allows remote attackers to steal NTLM credentials by deceiving...
Read More
Micropatches released for Windows zero-day leaking NTLM hashes
Source: FortiGuard

After being successfully exploited, the malicious document activates a downloaded file called “olerender.html” from a remote server. This HTML file contains a harmless script at the beginning to hide its true purpose, and the latter part contains the harmful code and injection process, which is used to carry out the attack on the victim’s computer.

The “olerender.html” file checks the operating system’s version and extracts the appropriate shellcode based on whether it detects an X64 architecture. After determining the OS version and extracting the shellcode, “olerender.html” retrieves the Windows APIs “VirtualProtect” and “CreateThread.” These functions are essential for the next steps. “VirtualProtect” changes memory permissions to securely write the decoded shellcode into memory, while “CreateThread” executes the injected shellcode, preparing for the download of the next payload from the attacker’s server.

Source: FortiGuard

MerkSpy is a powerful tool used by cybercriminals to record keystrokes, take screenshots, and steal login information from web browsers like Chrome. This stolen data is sent to the attackers, putting personal and financial information at risk.

“This shellcode decodes the downloaded content to execute an injector responsible for loading the MerkSpy spyware into memory and integrating it with active system processes,” said Cara Lin, a senior researcher at FortiGuard Labs. “MerkSpy is capable of sophisticated surveillance activities, including keystroke logging, screenshot capture, and harvesting Chrome browser login data.“

Check Also

Splunk

Splunk Alert User RCE and Data Leak Vulns

Splunk has released a security advisory about critical vulnerabilities in Splunk Enterprise and Splunk Cloud …

Leave a Reply

Your email address will not be published. Required fields are marked *