Unknown threat actors have been leveraging a now-patched security vulnerability in Microsoft MSHTML to deploy the spying program MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the United States.

“MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems,” stated Cara Lin, an analyst at Fortinet FortiGuard Labs, in a report released last week.

The attack chain begins with a Microsoft Word document that appears to be a job description for a software engineer position.

You might be interested in: Critical OpenSSH Flaw Discovered

However, opening the file exploits CVE-2021-40444, a high-severity vulnerability in MSHTML that can result in remote code execution without user involvement. Microsoft addressed this issue in the Patch Tuesday releases of September 2021.

In this scenario, it allows for the download of an HTML file (“olerender.html”) from a remote server, which then triggers the execution of embedded shellcode after verifying the operating system version.

“‘Olerender.html’ uses ‘VirtualProtect’ to modify memory permissions, enabling the decoded shellcode to be securely written into memory,” Lin revealed.

“After that, ‘CreateThread’ executes the injected shellcode, setting the stage for downloading and running the next payload from the attacker’s server. This step ensures the smooth operation of the malicious code, allowing for further exploitation.

The shellcode acts as a downloader for a file dubbed ‘GoogleUpdate,’ which contains an injector payload designed to evade detection by security software and load MerkSpy into memory.

The spyware creates persistence on the host by making changes to the Windows Registry, causing it to launch automatically at system restart. It also has the ability to covertly gather sensitive information, monitor user activity, and exfiltrate data to external servers controlled by threat actors.

This includes screenshots, keystrokes, login passwords saved in Google Chrome, and data from the MetaMask browser extension. All of this information is sent to the URL ‘45.89.53[.]46/google/update[.]php.’

This development comes as Symantec details a smishing campaign targeting users in the United States with bogus SMS messages claiming to be from Apple and attempting to trick them into clicking on fake credential-harvesting pages (‘signin.authen-connexion[.]info/icloud’) to continue using services.

“The malicious website is accessible from both desktop and mobile browsers,” the Broadcom-owned firm stated. “To provide a layer of perceived authenticity, they have included a CAPTCHA for consumers to complete. Following that, visitors are sent to a webpage that resembles an old iCloud login template.”