Friday , July 12 2024
diagram

MerkSpy Exploits Microsoft Office Vulnerability: FortiGuard report

FortiGuard Labs found an attack that uses the CVE-2021-40444 vulnerability in Microsoft Office. This flaw lets attackers run harmful code through specific documents. The attack deployed a spyware called “MerkSpy” which secretly watches user activities, collects sensitive information, and stays on compromised systems.

The attack starts with a harmless-looking Microsoft Word document, usually pretending to be a job posting or something else interesting. When the document is opened, it triggers a vulnerability (CVE-2021-40444) that lets the attackers run harmful code and download more harmful software.

CVE-2024-5910
Critical Vulnerability Threatens Palo Alto Networks’ Expedition

Palo Alto Networks has issued a critical security advisory outlining numerous vulnerabilities across its product lines, such as PAN-OS, Cortex...
Read More
CVE-2024-5910  Critical Vulnerability Threatens Palo Alto Networks’ Expedition

Vulnerabilities in GitLab Allows Attackers to Execute Unauthorized Pipelines

GitLab has issued a warning about a serious vulnerability in its GitLab Community and Enterprise editions. This vulnerability allows attackers...
Read More
Vulnerabilities in GitLab Allows Attackers to Execute Unauthorized Pipelines

Adobe Issues Critical Security Patches for Various Products

Adobe released security updates to fix several vulnerabilities in their software. These vulnerabilities could be used by cyber attackers to...
Read More
Adobe Issues Critical Security Patches for Various Products

CISA Warns Hacker Use OS Command Injection Vulnerabilities to Compromise Systems

OS command injection vulnerabilities are a preventable type of weakness in software. Manufacturers can eliminate them by taking a secure...
Read More
CISA Warns Hacker Use OS Command Injection Vulnerabilities to Compromise Systems

Pakistan allows spy agency to intercept phone messages, calls

The Pakistan Ministry of Information Technology and Telecommunication has given permission to the Inter-Services Intelligence (ISI) to intercept citizens’ phone...
Read More
Pakistan allows spy agency to intercept phone messages, calls

Citrix Issues Critical Security Advisory for NetScaler

Citrix has warned users about severe vulnerabilities in their widely-used NetScaler products. These vulnerabilities, known as CVE-2024-6235 and CVE-2024-6236, could...
Read More
Citrix Issues Critical Security Advisory for NetScaler

(CVE-2024-38080, CVE-2024-38112)
Microsoft July Patch Tuesday fixes 142 flaws, 4 zero-days

Microsoft's July 2024 Patch Tuesday includes security updates for 142 flaws, including two zero-days that are actively exploited and two...
Read More
(CVE-2024-38080, CVE-2024-38112)  Microsoft July Patch Tuesday fixes 142 flaws, 4 zero-days

EXCLUSIVE
Analysis of 3 Ransomware Threats Active Right Now

Three emerging threats will be discussed below, along with how sandbox analysis can be utilized to detect them proactively. Lockbit...
Read More
EXCLUSIVE  Analysis of 3 Ransomware Threats Active Right Now

AVAST RELEASED DECRYPTOR FOR DONEX RANSOMWARE

Avast researchers found a security flaw in the DoNex ransomware and its previous versions, which allowed them to create a...
Read More
AVAST RELEASED DECRYPTOR FOR DONEX RANSOMWARE

Critical Security Advisory for Apache CloudStack

The Apache Software Foundation has warned about two serious security issues (CVE-2024-38346 and CVE-2024-39864) in Apache CloudStack, a popular open-source...
Read More
Critical Security Advisory for Apache CloudStack
Source: FortiGuard

After being successfully exploited, the malicious document activates a downloaded file called “olerender.html” from a remote server. This HTML file contains a harmless script at the beginning to hide its true purpose, and the latter part contains the harmful code and injection process, which is used to carry out the attack on the victim’s computer.

The “olerender.html” file checks the operating system’s version and extracts the appropriate shellcode based on whether it detects an X64 architecture. After determining the OS version and extracting the shellcode, “olerender.html” retrieves the Windows APIs “VirtualProtect” and “CreateThread.” These functions are essential for the next steps. “VirtualProtect” changes memory permissions to securely write the decoded shellcode into memory, while “CreateThread” executes the injected shellcode, preparing for the download of the next payload from the attacker’s server.

Source: FortiGuard

MerkSpy is a powerful tool used by cybercriminals to record keystrokes, take screenshots, and steal login information from web browsers like Chrome. This stolen data is sent to the attackers, putting personal and financial information at risk.

“This shellcode decodes the downloaded content to execute an injector responsible for loading the MerkSpy spyware into memory and integrating it with active system processes,” said Cara Lin, a senior researcher at FortiGuard Labs. “MerkSpy is capable of sophisticated surveillance activities, including keystroke logging, screenshot capture, and harvesting Chrome browser login data.“

Check Also

CISA

CISA Warns Hacker Use OS Command Injection Vulnerabilities to Compromise Systems

OS command injection vulnerabilities are a preventable type of weakness in software. Manufacturers can eliminate …

Leave a Reply

Your email address will not be published. Required fields are marked *