One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8529199 |
| Date de publication | 2024-07-01 11:03:12 (vue: 2024-07-01 12:09:07) |
| Titre | MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems |
| Texte | #### Targeted Geolocations - India - North America ## Snapshot FortiGuard Labs Threat Research identified recent attacks exploiting the [CVE-2021-40444](https://security.microsoft.com/intel-profiles/CVE-2021-40444) vulnerability in Microsoft Office to deploy the spyware payload known as “MerkSpy.” ## Description The initial vector for this attack is a Microsoft Word document masquerading as a job description for a software developer position. Opening the document triggers the exploitation of CVE-2021-40444, a remote code execution vulnerability within the MSHTML component used by Internet Explorer in Microsoft Office. After the successful exploitation, the malicious document initiates the download of a HTML file from a remote server, which conceals JavaScript and embedded shellcode. This shellcode decodes the downloaded content to execute an injector responsible for loading the MerkSpy spyware into memory and integrating it with active system processes. The extracted payload is protected with VMProtect. Its primary function is seamlessly injecting the MerkSpy spyware into crucial system processes. This spyware operates covertly within systems, capturing sensitive information and exfiltrating data to remote servers controlled by malicious actors. ## Detections/Hunting Queries Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/Znyonm](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Znyonm&threatId=-2147076851) ##### Endpoint detection and response (EDR) Alerts with the following titles in the security center can indicate threat activity on your network: - Possible exploitation of CVE-2021-40444 (requires Defender Antivirus as the Active AV) The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report. - Suspicious Behavior By Office Application (detects the anomalous process launches that happen in exploitation of this CVE, and other malicious behavior) - Suspicious use of Control Panel item ## Recommendations Apply the following mitigations to reduce the impact of this threat and follow-on actions taken by attackers. - Apply the security updates for [CVE-2021-40444](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444). Comprehensive updates addressing the vulnerabilities used in this campaign are available through the [September 2021 security updates](https://msrc.microsoft.com/update-guide/). While there are workarounds listed for customers, in [CVE-2021-40444](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444) scenarios where patching is not yet feasible, we recommend customers to apply the patch for this vulnerability and act on the secure configurations highlighted in this report at the soonest time possible. - Run the latest version of your operating systems and applications. Turn on automatic updates or deploy the latest security updates as soon as they become available. - Use a supported platform, such as Windows 10, to take advantage of regular security updates. - Turn on [cloud-delivered protection](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants. - Turn on [tamper protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide) in Microsoft Defender for Endpoint, to prevent malicious changes to security settings. - Run [EDR in block mode](https://docs. |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### ##### 2021 2024 2147076851 365/security/defender 40444 accessed act action actions active activity actors addressing advantage after alert alerts allow also america anomalous antivirus application applications apply are artifacts associated attack attacker attackers attacks automated automatic available based become behavior behind block breach breaches campaign can capturing cards center changes cloud code com/blog/threat com/en com/intel com/microsoft com/update component components comprehensive configurations content control controlled cover covertly crucial customers cve data decodes defender delivered deploy description detect detected detection detections/hunting detects developer device devices discovery document doesn download downloaded edr embedded enable encyclopedia endpoint endpoint/automated endpoint/configure endpoint/device endpoint/edr endpoint/prevent equivalent even evolving execute execution exfiltrating exploitation exploiting explorer extracted feasible file finding first follow following fortiguard fortinet for from full function geolocations guide/ guide/vulnerability/cve happen highlighted however html https://docs https://msrc https://security https://www identified immediate impact increase india indicate infiltrate information initial initiates injecting injector integrating internet investigation investigations in item its javascript job known labs latest launches learning listed loading machine majority malicious malware: masquerading memory merkspy merkspy: microsoft might mitigations mode monitored mshtml name=trojan:win32/znyonm&threatid= network network: new non north not office onboarding on opening operates operating other panel passive patch patching payload platform position possible post prevent primary process processes product profiles/cve protected protection protections provided queries rapidly recent recommend recommendations reduce reducing references regular remediate remediation remote report requires research research/merkspy resolve response responsible run running run scenes seamlessly secure security sensitive september server servers settings shellcode sight significantly snapshot software soon soonest spyware status successful such supported suspicious system systems take taken tamper targeted techniques them these the threat through time titles tools triggered triggers trojan:win32/znyonm turn unknown unmanaged unrelated updates us/microsoft us/wdsi/threats/malware use used use variants vector version view=o365 visibility vmprotect volume vulnerabilities vulnerability when where which conceals windows within word workarounds works worldwide yet your in scenarios so to “merkspy |
| Tags | Malware Tool Vulnerability Threat Patching |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.