Exploiting CVE-2021-40444 to Infiltrate Systems

216.73.216.6

Exploiting CVE-2021-40444 to Infiltrate Systems

· Published 02/07/2024 08:09 · Modified 02/07/2024 08:19

Essential information

Published: 02/07/2024 08:09
Modified: 02/07/2024 08:19
Tags: 2024-07-02 CVE-2021-40444 information theft keylogger merkspy spyware vulnerability
Related entities: 1 vulnerabilities (cve), 6 observables, 5 techniques (mitre), 1 malware

Description

A recently detected attack exploited a vulnerability in Microsoft Office to deploy spyware called MerkSpy. The initial vector was a deceptive Word document posing as a job description. Opening it triggered the exploitation of CVE-2021-40444, allowing arbitrary code execution. This downloaded an HTML file to prepare shellcode, which then fetched a file called GoogleUpdate containing the MerkSpy payload. MerkSpy captures sensitive information like keystrokes and screenshots, exfiltrating the data to a remote server.

External references

https://www.fortinet.com/blog/threat-research/merkspy-exploiting-cve-2021-40444-to-infiltrate-systems
https://otx.alienvault.com/pulse/6683b5cca19327669b11101c