Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S.
已经观察到未知的威胁行为者利用Microsoft MSHTML中的一个现已修补的安全漏洞来传递一个名为MerkSpy的监视工具,作为主要针对加拿大、印度、波兰和美国用户的攻击活动的一部分。
"MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week.
Fortinet FortiGuard Labs研究员Cara Lin在上周发表的报告中表示,“MerkSpy旨在秘密监视用户活动,捕获敏感信息,并在受损系统上建立持久性。”
The starting point of the attack chain is a Microsoft Word document that ostensibly contains a job description for a software engineer role.
攻击链的起点是一个微软Word文档,表面上包含一个软件工程师角色的职位描述。
But opening the file triggers the exploitation of CVE-2021-40444, a high-severity flaw in MSHTML that could result in remote code execution without requiring any user interaction. It was addressed by Microsoft as part of Patch Tuesday updates released in September 2021.
但打开该文件会触发对CVE-2021-40444的利用,这是MSHTML中的一个高危漏洞,可能导致远程代码执行而无需任何用户交互。这个漏洞已经在2021年9月的“补丁星期二”更新中得到解决。
In this case, it paves the way for the download of an HTML file ("olerender.html") from a remote server that, in turn, initiates the execution of an embedded shellcode after checking the operating system version.
在这种情况下,它为从远程服务器下载一个HTML文件("olerender.html")铺平了道路,这个文件在检查操作系统版本后启动嵌入式shellcode的执行。
"Olerender.html" takes advantage of "'VirtualProtect' to modify memory permissions, allowing the decoded shellcode to be written into memory securely," Lin explained.
Lin解释说,“'Olerender.html'利用'VirtualProtect'来修改内存权限,允许安全地将解码后的shellcode写入内存。”
"Following this, 'CreateThread' executes the injected shellcode, setting the stage for downloading and executing the next payload from the attacker's server. This process ensures that the malicious code runs seamlessly, facilitating further exploitation."
“在此之后,'CreateThread'执行注入的shellcode,为从攻击者服务器下载并执行下一个payload设定了舞台。这个过程确保了恶意代码无缝运行,促进了进一步的利用。”
The shellcode serves as a downloader for a file that's deceptively titled "GoogleUpdate" but, in reality, harbors an injector payload responsible for evading detection by security software and loading MerkSpy into memory.
shellcode充当一个文件下载器,名为“GoogleUpdate”,但实际上,它包含一个注入器负载,负责通过安全软件检测和将MerkSpy加载到内存中。
The spyware establishes persistence on the host through Windows Registry changes such that it's launched automatically upon system startup. It also comes with capabilities to clandestinely capture sensitive information, monitor user activities, and exfiltrate data to external servers under the threat actors' control.
间谍软件通过Windows注册表更改在主机上建立持久性,以便在系统启动时自动启动。它还具有秘密捕获敏感信息、监视用户活动并将数据悄悄传输到威胁行为者控制的外部服务器的能力。
This includes screenshots, keystrokes, login credentials stored in Google Chrome, and data from the MetaMask browser extension. All this information is transmitted to the URL "45.89.53[.]46/google/update[.]php."
这包括屏幕截图、按键记录、存储在Google Chrome中的登录凭据以及来自MetaMask浏览器扩展的数据。所有这些信息都传输到URL“45.89.53[.]46/google/update[.]php”。
The development comes as Symantec detailed a smishing campaign targeting users in the U.S. with sketchy SMS messages that purport to be from Apple and aim to trick them into clicking on bogus credential harvesting pages ("signin.authen-connexion[.]info/icloud") in order to continue using the services.
此举发生在赛门铁克详细描述了一场针对美国用户的smishing攻击活动之际,这些攻击活动利用可疑的短信消息假冒来自苹果,并旨在诱使用户点击虚假的凭据钓鱼页面("signin.authen-connexion[.]info/icloud")以继续使用服务。
"The malicious website is accessible from both desktop and mobile browsers," the Broadcom-owned company said. "To add a layer of perceived legitimacy, they have implemented a CAPTCHA that users must complete. After this, users are directed to a webpage that mimics an outdated iCloud login template."
博通旗下公司表示:“恶意网站可从台式机和移动浏览器访问。为增加感知合法性,他们实施了一个用户必须完成的CAPTCHA。之后,用户将被引导到一个模仿过时iCloud登录模板的网页。”
参考资料
[1]https://thehackernews.com/2024/07/microsoft-mshtml-flaw-exploited-to.html
原文始发于微信公众号(知机安全):微软MSHTML漏洞遭遇利用,传送MerkSpy间谍工具
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论