New Exploit in Microsoft MSHTML Delivers MerkSpy Spyware Tool

Posted on: 03 Jul 2024 | Author: Foresiet


A newly discovered spyware tool named MerkSpy is targeting users in Canada, India, Poland, and the U.S., exploiting a patched security flaw in Microsoft MSHTML. This campaign, identified by Foresiet researchers, highlights the critical need for vigilant cybersecurity practices, including stolen credentials detection, darknet monitoring services, and digital footprint analysis.

Attack Overview

The attack begins with a Microsoft Word document disguised as a job description for a software engineer. When opened, the document exploits CVE-2021-40444, a high-severity MSHTML flaw patched by Microsoft in September 2021. This flaw allows for remote code execution without user interaction.

Exploit Mechanism

The document downloads an HTML file named "olerender.html" from a remote server. This file uses the 'VirtualProtect' function to alter memory permissions, allowing embedded shellcode to be securely written to memory. The 'CreateThread' function then executes this shellcode, enabling the download and execution of additional malicious payloads from the attacker's server.

The downloaded payload, misleadingly named "GoogleUpdate," contains an injector that evades security detection and loads MerkSpy into memory. MerkSpy ensures persistence through changes to the Windows Registry, automatically launching upon system startup.

Capabilities of MerkSpy

MerkSpy is designed to monitor user activities covertly, capture sensitive information, and exfiltrate data to external servers controlled by the threat actors. It can capture screenshots, log keystrokes, extract login credentials stored in Google Chrome, and access data from the MetaMask browser extension. The stolen information is transmitted to the URL "45.89.53[.]46/google/update[.]php."

Additional Threats

In addition to the MerkSpy campaign, Symantec has reported a smishing campaign targeting U.S. users with fraudulent SMS messages pretending to be from Apple. These messages direct recipients to fake credential harvesting pages, which appear legitimate through the use of CAPTCHA and an outdated iCloud login template.


The exploitation of CVE-2021-40444 to deliver MerkSpy underscores the importance of robust cybersecurity measures. Organizations must invest in comprehensive security solutions, including brand protection, compromised data tracking, and brand impersonation defense, to protect against evolving threats. Staying vigilant and proactive is essential to safeguard sensitive information and maintain digital security.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.

Safeguard Your Reputation, Data, and Systems

Protect your brand, reputation, data, and systems with Foresiet's Integrated Digital Risk Platform. 24/7/365 threat monitoring for total peace of mind.