Attackers Exploit CVE-2021-40444 To Infiltrate Systems With MerkSpy

"MerkSpy is spyware targeting Microsoft Windows designed to secretly monitor activities capture sensitive information and maintain persistence. It disguises itself as a legitimate Google update file and is protected with VMProtect. Attackers exploit the CVE-2021-40444 vulnerability in Microsoft Office using deceptive Microsoft Word documents posing as job descriptions. These documents execute malicious code downloading the ""olerender.html"" payload from a remote server. The payloads shellcode acts as a downloader fetching the core spyware ""GoogleUpdate"" file. This file deeply encoded to evade detection is decoded and executed to inject MerkSpy into system processes. MerkSpy achieves persistence by adding a registry entry for GoogleUpdate.exe ensuring it runs at startup. It captures screenshots logs keystrokes retrieves Chrome login credentials and accesses the MetaMask extension then uploads the collected data to the attackers server."