{
  "name": "Exploiting CVE-2021-40444 to Infiltrate Systems",
  "slug": "exploiting-cve-2021-40444-to-infiltrate-systems",
  "description": "A recently detected attack exploited a vulnerability in Microsoft Office to deploy spyware called MerkSpy. The initial vector was a deceptive Word document posing as a job description. Opening it triggered the exploitation of CVE-2021-40444, allowing arbitrary code execution. This downloaded an HTML file to prepare shellcode, which then fetched a file called GoogleUpdate containing the MerkSpy payload. MerkSpy captures sensitive information like keystrokes and screenshots, exfiltrating the data to a remote server.",
  "published": "2024-07-02T06:09:48+00:00",
  "created_at": "2024-07-02T06:09:48+00:00",
  "modified_at": "2024-07-02T06:19:44+00:00",
  "created_at_opencti": "2024-07-02T06:09:48+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-07-02",
    "CVE-2021-40444",
    "information theft",
    "keylogger",
    "merkspy",
    "spyware",
    "vulnerability"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "45.89.53.46"
      },
      {
        "id": "",
        "name": "http://45.89.53.46/google/update.php"
      },
      {
        "id": "",
        "name": "http://45.89.53.46/google/olerender.html"
      },
      {
        "id": "",
        "name": "92eb60179d1cf265a9e2094c9a54e025597101b8a78e2a57c19e4681df465e08"
      },
      {
        "id": "",
        "name": "569f6cd88806d9db9e92a579dea7a9241352d900f53ff7fe241b0006ba3f0e22"
      },
      {
        "id": "",
        "name": "0ffadb53f9624950dea0e07fcffcc31404299230735746ca43d4db05e4d708c6"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:30c78ccbe228d48b",
        "name": "MerkSpy",
        "slug": "merkspy"
      }
    ],
    "attack_patterns": [
      {
        "id": "f4a450ef-8297-42e5-9e47-01162138baa2",
        "name": "T1115"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e",
        "name": "T1003"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2021-40444"
      }
    ]
  },
  "external_refs": [
    "https://www.fortinet.com/blog/threat-research/merkspy-exploiting-cve-2021-40444-to-infiltrate-systems",
    "https://otx.alienvault.com/pulse/6683b5cca19327669b11101c"
  ]
}